Merge pull request #2705 from splunk/craftycleanup

Tags, Descriptions and Haags - Oh my 🙀

detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml

@@ -5,7 +5,7 @@ date: '2023-04-28'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
-description: The following analytic
+description: The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals.
 data_source: []
 search: ' `azuread` operationName="Add member to role" 
   | rename properties.* as *

detections/endpoint/access_lsass_memory_for_dump_creation.yml

@@ -5,7 +5,7 @@ date: '2019-12-06'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
-description: Detect memory dumping of the LSASS process.
+description: The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration.
 data_source:
 - Sysmon Event ID 1
 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll*

detections/endpoint/attacker_tools_on_endpoint.yml

@@ -5,8 +5,7 @@ date: '2021-11-04'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
-description: This search looks for execution of commonly used attacker tools on an
-  endpoint.
+description: The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts.
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)

detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml

@@ -5,7 +5,7 @@ date: '2021-09-16'
 author: Patrick Bareiss, Rico Valdez, Splunk
 status: production
 type: TTP
-description: Attempt To Add Certificate To Untrusted Store
+description: The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security.
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process)

detections/endpoint/create_remote_thread_into_lsass.yml

@@ -5,7 +5,7 @@ date: '2019-12-06'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
-description: Detect remote thread creation into LSASS consistent with credential dumping.
+description: The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats.
 data_source:
 - Sysmon Event ID 8
 search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime

detections/endpoint/detect_exchange_web_shell.yml

@@ -66,6 +66,7 @@ tags:
   - T1505
   - T1505.003
   - T1190
+  - T1133
   observable:
   - name: user
     type: User

detections/endpoint/dump_lsass_via_comsvcs_dll.yml

@@ -5,7 +5,7 @@ date: '2023-04-14'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
-description: Detect the usage of comsvcs.dll for dumping the lsass process.
+description: 'The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization''s assets and prevent potential breaches.'
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)

detections/endpoint/exchange_powershell_abuse_via_ssrf.yml

@@ -45,6 +45,7 @@ tags:
     and take action accordingly.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/endpoint/java_writing_jsp_file.yml

@@ -46,6 +46,7 @@ tags:
     a jsp file to disk, potentially indicative of exploitation.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/endpoint/linux_java_spawning_shell.yml

@@ -44,6 +44,7 @@ tags:
     on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/endpoint/living_off_the_land.yml

@@ -44,6 +44,7 @@ tags:
   - T1105
   - T1190
   - T1059
+  - T1133
   observable:
   - name: affected_systems
     type: Hostname

detections/endpoint/log4shell_cve_2021_44228_exploitation.yml

@@ -53,6 +53,7 @@ tags:
   - T1105
   - T1190
   - T1059
+  - T1133
   observable:
   - name: risk_object
     type: Hostname

detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml

@@ -62,6 +62,7 @@ tags:
   - T1505
   - T1505.003
   - T1190
+  - T1133
   observable:
   - name: user
     type: User

detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml

@@ -45,6 +45,7 @@ tags:
     $dest$
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml

@@ -33,6 +33,7 @@ tags:
   message: Behavior related to exploitation of PaperCut NG has been identified on $host$.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: host
     type: Hostname

detections/endpoint/script_execution_via_wmi.yml

@@ -5,7 +5,7 @@ date: '2020-03-16'
 author: Rico Valdez, Michael Haag, Splunk
 status: production
 type: TTP
-description: This search looks for scripts launched via WMI.
+description: The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context.
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
@@ -27,7 +27,7 @@ tags:
   asset_type: Endpoint
   confidence: 60
   impact: 60
-  message: A wmic.exe process $process_name$ taht execute script in host $dest$
+  message: A wmic.exe process $process_name$ that execute script in host $dest$
   mitre_attack_id:
   - T1047
   observable:

detections/endpoint/windows_java_spawning_shells.yml

@@ -46,6 +46,7 @@ tags:
     on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/endpoint/windows_papercut_ng_spawn_shell.yml

@@ -29,6 +29,7 @@ tags:
   mitre_attack_id:
   - T1059
   - T1190
+  - T1133
   observable:
   - name: user
     type: User

detections/endpoint/wmi_permanent_event_subscription.yml

@@ -5,7 +5,7 @@ date: '2018-10-23'
 author: Rico Valdez, Splunk
 status: experimental
 type: TTP
-description: This search looks for the creation of WMI permanent event subscriptions.
+description: The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment.
 data_source:
 - Sysmon Event ID 5
 search: '`wmi` EventCode=5861 Binding | rex field=Message "Consumer =\s+(?<consumer>[^;|^$]+)"

detections/network/detect_windows_dns_sigred_via_splunk_stream.yml

@@ -5,7 +5,7 @@ date: '2020-07-28'
 author: Shannon Davis, Splunk
 status: experimental
 type: TTP
-description: This search detects SIGRed via Splunk Stream.
+description: The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. 
 data_source: []
 search: '`stream_dns` | spath "query_type{}" | search "query_type{}" IN (SIG,KEY)
   | spath protocol_stack | search protocol_stack="ip:tcp:dns" | append [search `stream_tcp`

detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml

@@ -39,6 +39,7 @@ tags:
     occurred.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml

@@ -44,6 +44,7 @@ tags:
   mitre_attack_id:
   - T1505
   - T1190
+  - T1133
   observable:
   - name: dest
     type: IP Address

detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml

@@ -29,6 +29,7 @@ tags:
   message: tbd
   mitre_attack_id:
   - T1082
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/exploit_public_facing_application_via_apache_commons_text.yml

@@ -58,6 +58,7 @@ tags:
   - T1505.003
   - T1505
   - T1190
+  - T1133
   observable:
   - name: dest
     type: IP Address

detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml

@@ -35,6 +35,7 @@ tags:
     $dest$.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/fortinet_appliance_auth_bypass.yml

@@ -58,6 +58,7 @@ tags:
     against $dest$.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/hunting_for_log4shell.yml

@@ -82,6 +82,7 @@ tags:
   message: Hunting for Log4Shell exploitation has occurred.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/log4shell_jndi_payload_injection_attempt.yml

@@ -46,6 +46,7 @@ tags:
   message: CVE-2021-44228 Log4Shell triggered for host $dest$
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: user
     type: User

detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml

@@ -41,6 +41,7 @@ tags:
   message: CVE-2021-44228 Log4Shell triggered for host $dest$
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: user
     type: User

detections/web/papercut_ng_remote_web_access_attempt.yml

@@ -29,6 +29,7 @@ tags:
   message: URIs specific to PaperCut NG have been access by a public IP against $dest$.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/proxyshell_proxynotshell_behavior_detected.yml

@@ -49,6 +49,7 @@ tags:
   message: ProxyShell or ProxyNotShell activity has been identified on $risk_object$.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: risk_object
     type: Hostname

detections/web/spring4shell_payload_url_request.yml

@@ -36,6 +36,7 @@ tags:
   - T1505.003
   - T1505
   - T1190
+  - T1133
   observable:
   - name: dest
     type: IP Address

detections/web/supernova_webshell.yml

@@ -30,6 +30,7 @@ tags:
   message: tbd
   mitre_attack_id:
   - T1505.003
+  - T1133
   observable:
   - name: user
     type: User

detections/web/vmware_server_side_template_injection_hunt.yml

@@ -39,6 +39,7 @@ tags:
     $dest$ has occurred.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml

@@ -40,6 +40,7 @@ tags:
     $dest$ has occurred.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/web_jsp_request_via_url.yml

@@ -37,6 +37,7 @@ tags:
   - T1505.003
   - T1505
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/web_spring4shell_http_request_class_module.yml

@@ -34,6 +34,7 @@ tags:
     $src$.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/web_spring_cloud_function_functionrouter.yml

@@ -36,6 +36,7 @@ tags:
     a vulnerability in Spring Cloud.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

detections/web/windows_exchange_autodiscover_ssrf_abuse.yml

@@ -54,6 +54,7 @@ tags:
     $dest$. Review events and take action accordingly.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

dev/endpoint/java_writing_jsp_file.yml

@@ -42,6 +42,7 @@ tags:
     a jsp file to disk, potentially indicative of exploitation.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

dev/endpoint/linux_java_spawning_shell.yml

@@ -44,6 +44,7 @@ tags:
     on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

dev/endpoint/outbound_network_connection_from_java_using_default_ports.yml

@@ -41,6 +41,7 @@ tags:
     $dest$
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname

dev/endpoint/windows_java_spawning_shells.yml

@@ -41,6 +41,7 @@ tags:
     on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation.
   mitre_attack_id:
   - T1190
+  - T1133
   observable:
   - name: dest
     type: Hostname