From 893969c418922b4145a8849f6790703c40d3d9dc Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 2 Aug 2023 16:11:26 -0700 Subject: [PATCH 1/5] fix 1 --- detections/application/splunk_user_enumeration_attempt.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/application/splunk_user_enumeration_attempt.yml b/detections/application/splunk_user_enumeration_attempt.yml index 741fbe180e..fc3f514aa1 100644 --- a/detections/application/splunk_user_enumeration_attempt.yml +++ b/detections/application/splunk_user_enumeration_attempt.yml @@ -1,7 +1,7 @@ name: Splunk User Enumeration Attempt id: 25625cb4-1c4d-4463-b0f9-7cb462699cde -version: 1 -date: '2022-04-29' +version: 2 +date: '2023-07-31' author: Lou Stella, Splunk status: production type: TTP @@ -11,7 +11,7 @@ description: On May 3rd, 2022, Splunk published a security advisory for usernam as well as actual exploitation in unpatched version of Splunk. data_source: [] search: ' `splunkd_failed_auths` | stats count(user) as auths by user, src | where - auths>5 | stats values(user) as "Users", sum(auths) as TotalFailedAuths by src | + auths>5 | stats dc(user) as "Users", sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`' how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may From c2a8846c9939a050d02ddaa7de873e2be4156f0f Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 2 Aug 2023 16:41:05 -0700 Subject: [PATCH 2/5] fix2 --- detections/endpoint/disable_etw_through_registry.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 3303cee687..124f8734e6 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -5,7 +5,7 @@ date: '2023-04-27' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: this search is to identify modification in registry to disable ETW windows +description: This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. @@ -32,7 +32,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Disable ETW Through Registry + message: Disable ETW Through Registry on $dest$ mitre_attack_id: - T1562.001 - T1562 From 2def6d5476d2d5984ea42c99d9437a391eba2a86 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 3 Aug 2023 09:27:34 -0700 Subject: [PATCH 3/5] wrong story --- .../cloud/asl_aws_new_mfa_method_registered_for_user.yml | 7 +++---- .../cloud/aws_new_mfa_method_registered_for_user.yml | 5 ++--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index bcc75c8b08..7e5bad0bfa 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -24,10 +24,9 @@ references: - https://attack.mitre.org/techniques/T1556/006/ - https://twitter.com/jhencinski/status/1618660062352007174 tags: - analytic_story: - - Compromised User Account - - Azure Active Directory Account Takeover - asset_type: Azure Active Directory + analytic_story: + - AWS Identity and Access Management Account Takeover + asset_type: AWS Account confidence: 80 impact: 80 message: A new virtual device is added to user $identity.user.name$ diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 7884cc68c0..3b45dfa676 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -25,9 +25,8 @@ references: - https://twitter.com/jhencinski/status/1618660062352007174 tags: analytic_story: - - Compromised User Account - - Azure Active Directory Account Takeover - asset_type: Azure Active Directory + - AWS Identity and Access Management Account Takeover + asset_type: AWS Account confidence: 80 impact: 80 message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ From 3f5c79505b1b5687fe6d18d1633ca0941626726f Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 17 Aug 2023 10:27:36 -0700 Subject: [PATCH 4/5] minor fix --- detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 7e5bad0bfa..2fd5d4c77d 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -24,7 +24,7 @@ references: - https://attack.mitre.org/techniques/T1556/006/ - https://twitter.com/jhencinski/status/1618660062352007174 tags: - analytic_story: + analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account confidence: 80 From b9acaa355ed2a59ed82980ce4541cd09977883b4 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 17 Aug 2023 14:12:59 -0700 Subject: [PATCH 5/5] updates from Lou --- detections/application/splunk_user_enumeration_attempt.yml | 6 +++--- detections/endpoint/disable_etw_through_registry.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/application/splunk_user_enumeration_attempt.yml b/detections/application/splunk_user_enumeration_attempt.yml index fc3f514aa1..741fbe180e 100644 --- a/detections/application/splunk_user_enumeration_attempt.yml +++ b/detections/application/splunk_user_enumeration_attempt.yml @@ -1,7 +1,7 @@ name: Splunk User Enumeration Attempt id: 25625cb4-1c4d-4463-b0f9-7cb462699cde -version: 2 -date: '2023-07-31' +version: 1 +date: '2022-04-29' author: Lou Stella, Splunk status: production type: TTP @@ -11,7 +11,7 @@ description: On May 3rd, 2022, Splunk published a security advisory for usernam as well as actual exploitation in unpatched version of Splunk. data_source: [] search: ' `splunkd_failed_auths` | stats count(user) as auths by user, src | where - auths>5 | stats dc(user) as "Users", sum(auths) as TotalFailedAuths by src | + auths>5 | stats values(user) as "Users", sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`' how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 124f8734e6..c3e4e9ed9f 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -13,7 +13,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" - Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`'