Branch was auto-updated.

splunk · Aug 17, 2023 · b581e3a · b581e3a
2 parents 7f8a7d8 + e1b1b99
commit b581e3a
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 9 deletions.
diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml
@@ -25,9 +25,8 @@ references:
 - https://twitter.com/jhencinski/status/1618660062352007174
 tags:
   analytic_story:
-  - Compromised User Account
-  - Azure Active Directory Account Takeover
-  asset_type: Azure Active Directory
+  - AWS Identity and Access Management Account Takeover
+  asset_type: AWS Account
   confidence: 80
   impact: 80
   message: A new virtual device is added to user $identity.user.name$

diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml
@@ -25,9 +25,8 @@ references:
 - https://twitter.com/jhencinski/status/1618660062352007174
 tags:
   analytic_story:
-  - Compromised User Account
-  - Azure Active Directory Account Takeover
-  asset_type: Azure Active Directory
+  - AWS Identity and Access Management Account Takeover
+  asset_type: AWS Account
   confidence: 80
   impact: 80
   message: A new virtual device $virtualMFADeviceName$ is added to user  $user_arn$

diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml
@@ -5,15 +5,15 @@ date: '2023-04-27'
 author: Steven Dick, Teoderick Contreras, Splunk
 status: production
 type: TTP
-description: this search is to identify modification in registry to disable ETW windows
+description: This search is to identify modification in registry to disable ETW windows
   feature to evade detections. This technique was seen in several ransomware, RAT
   and even APT to impaire defenses of the compromise machine and to be able to execute
   payload with minimal alert as much as possible.
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled"
-  Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path
+  Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.registry_path
   Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
   Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data)
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`'
@@ -32,7 +32,7 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: Disable ETW Through Registry
+  message: Disable ETW Through Registry on $dest$
   mitre_attack_id:
   - T1562.001
   - T1562