From a11ba87961ccdb3e9bb84ff1b7f5ef9f553319ab Mon Sep 17 00:00:00 2001 From: tccontre Date: Mon, 3 Jul 2023 14:14:52 +0200 Subject: [PATCH 01/47] Splunk_Attack_Analyzer_Dynamic_Analysis_Fix_Bug --- ...lunk_Attack_Analyzer_Dynamic_Analysis.json | 24 +++++++-------- ...Splunk_Attack_Analyzer_Dynamic_Analysis.py | 30 +++++++++++-------- 2 files changed, 29 insertions(+), 25 deletions(-) diff --git a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json index 83bccbcefe..f5c4981c8f 100644 --- a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json +++ b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json @@ -156,7 +156,7 @@ "targetPort": "15_in" } ], - "hash": "d3278e0db9a8761705897f1307e410d32a715c77", + "hash": "13864bdc7ea935acde9ad6f1be501217c7197c4f", "nodes": { "0": { "data": { @@ -171,8 +171,8 @@ "id": "0", "type": "start", "warnings": {}, - "x": 190, - "y": -7.673861546209082e-13 + "x": 200, + "y": -6.394884621840902e-14 }, "1": { "data": { @@ -265,7 +265,7 @@ }, "connector": "Splunk Attack Analyzer", "connectorConfigs": [ - "splunk_attack_analyzer" + "splunk attack analyzer" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -308,7 +308,7 @@ }, "connector": "Splunk Attack Analyzer", "connectorConfigs": [ - "splunk_attack_analyzer" + "splunk attack analyzer" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -317,7 +317,7 @@ "id": "15", "parameters": { "job_id": "filtered-data:detonation_status_filter:condition_1:file_detonation:action_result.data.*.JobID", - "timeout": "10" + "timeout": "3" }, "requiredParameters": [ { @@ -367,7 +367,7 @@ "errors": {}, "id": "17", "type": "code", - "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_file_forensic_output__file_score_object = []\n normalized_file_forensic_output__scores = []\n normalized_file_forensic_output__categories = []\n normalized_file_forensic_output__score_id = []\n normalized_file_forensic_output__file = []\n normalized_file_forensic_output__job_id = []\n \n ## pair forensic job results with url detonated\n job_file_dict = {}\n for orig_url, orig_job, filtered_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid, filtered_result_1_parameter_job_id):\n if orig_job == filtered_job:\n job_file_dict[filtered_job] = orig_url\n\n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n file = job_file_dict[job]\n categories = [item.get('Description') for item in detections]\n \n normalized_file_forensic_output__file_score_object.append({'value': file, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_file_forensic_output__scores.append(score)\n normalized_file_forensic_output__categories.append(\", \".join(categories))\n normalized_file_forensic_output__score_id.append(score_id)\n normalized_file_forensic_output__file.append(file)\n normalized_file_forensic_output__job_id.append(job)\n \n", + "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_file_forensic_output__file_score_object = []\n normalized_file_forensic_output__scores = []\n normalized_file_forensic_output__categories = []\n normalized_file_forensic_output__score_id = []\n normalized_file_forensic_output__file = []\n normalized_file_forensic_output__job_id = []\n \n ## pair forensic job results with url detonated\n job_file_dict = {}\n\n for orig_url, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid):\n for filtered_job in filtered_result_0_data___jobid:\n if orig_job == filtered_job:\n job_file_dict[filtered_job] = orig_url\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n file = job_file_dict[job]\n categories = [item.get('Description') for item in detections]\n \n normalized_file_forensic_output__file_score_object.append({'value': file, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_file_forensic_output__scores.append(score)\n normalized_file_forensic_output__categories.append(\", \".join(categories))\n normalized_file_forensic_output__score_id.append(score_id)\n normalized_file_forensic_output__file.append(file)\n normalized_file_forensic_output__job_id.append(job)\n \n", "warnings": {}, "x": 340, "y": 1260 @@ -571,7 +571,7 @@ }, "connector": "Splunk Attack Analyzer", "connectorConfigs": [ - "splunk_attack_analyzer" + "splunk attack analyzer" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -652,7 +652,7 @@ }, "connector": "Splunk Attack Analyzer", "connectorConfigs": [ - "splunk_attack_analyzer" + "splunk attack analyzer" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -661,7 +661,7 @@ "id": "6", "parameters": { "job_id": "filtered-data:url_status_filter:condition_1:url_detonation:action_result.data.*.JobID", - "timeout": "5" + "timeout": "2" }, "requiredParameters": [ { @@ -747,7 +747,7 @@ "errors": {}, "id": "8", "type": "code", - "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_url_forensic_output__url_score_object = []\n normalized_url_forensic_output__scores = []\n normalized_url_forensic_output__categories = []\n normalized_url_forensic_output__score_id = []\n normalized_url_forensic_output__url = []\n normalized_url_forensic_output__job_id = []\n\n ## pair forensic job results with url detonated\n job_url_dict = {}\n for orig_url, orig_job, filtered_job in zip(filtered_result_0_parameter_url, filtered_result_0_data___jobid, filtered_result_1_parameter_job_id):\n if orig_job == filtered_job:\n job_url_dict[filtered_job] = orig_url\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n url = job_url_dict[job]\n categories = [item.get('Description') for item in detections]\n \n # Attach final object\n normalized_url_forensic_output__url_score_object.append({'value': url, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_url_forensic_output__scores.append(score)\n normalized_url_forensic_output__categories.append(\", \".join(categories))\n normalized_url_forensic_output__score_id.append(score_id)\n normalized_url_forensic_output__url.append(url)\n normalized_url_forensic_output__job_id.append(job)\n\n", + "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_url_forensic_output__url_score_object = []\n normalized_url_forensic_output__scores = []\n normalized_url_forensic_output__categories = []\n normalized_url_forensic_output__score_id = []\n normalized_url_forensic_output__url = []\n normalized_url_forensic_output__job_id = []\n\n ## pair forensic job results with url detonated\n job_url_dict = {}\n\n for orig_url, orig_job in zip(filtered_result_0_parameter_url, filtered_result_0_data___jobid):\n for filtered_job in filtered_result_0_data___jobid:\n if orig_job == filtered_job:\n job_url_dict[filtered_job] = orig_url\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n url = job_url_dict[job]\n categories = [item.get('Description') for item in detections]\n \n # Attach final object\n normalized_url_forensic_output__url_score_object.append({'value': url, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_url_forensic_output__scores.append(score)\n normalized_url_forensic_output__categories.append(\", \".join(categories))\n normalized_url_forensic_output__score_id.append(score_id)\n normalized_url_forensic_output__url.append(url)\n normalized_url_forensic_output__job_id.append(job)\n\n", "warnings": {}, "x": 0, "y": 1260 @@ -800,7 +800,7 @@ "schema": "5.0.9", "version": "6.0.0.114895" }, - "create_time": "2023-04-29T01:27:41.839151+00:00", + "create_time": "2023-07-03T11:44:44.497724+00:00", "draft_mode": false, "labels": [ "*" diff --git a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py index b0c7fbba89..bf00f75984 100644 --- a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py +++ b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py @@ -83,7 +83,7 @@ def url_detonation(action=None, success=None, container=None, results=None, hand ## Custom Code End ################################################################################ - phantom.act("detonate url", parameters=parameters, name="url_detonation", assets=["splunk_attack_analyzer"], callback=url_status_filter) + phantom.act("detonate url", parameters=parameters, name="url_detonation", assets=["splunk attack analyzer"], callback=url_status_filter) return @@ -131,7 +131,7 @@ def get_url_forensics_output(action=None, success=None, container=None, results= if filtered_result_0_item_url_status_filter[0] is not None: parameters.append({ "job_id": filtered_result_0_item_url_status_filter[0], - "timeout": 5, + "timeout": 2, }) ################################################################################ @@ -152,7 +152,7 @@ def get_url_forensics_output(action=None, success=None, container=None, results= ## Custom Code End ################################################################################ - phantom.act("get job forensics", parameters=parameters, name="get_url_forensics_output", assets=["splunk_attack_analyzer"], callback=get_jobid_forensic_filter) + phantom.act("get job forensics", parameters=parameters, name="get_url_forensics_output", assets=["splunk attack analyzer"], callback=get_jobid_forensic_filter) return @@ -234,10 +234,12 @@ def normalized_url_forensic_output(action=None, success=None, container=None, re ## pair forensic job results with url detonated job_url_dict = {} - for orig_url, orig_job, filtered_job in zip(filtered_result_0_parameter_url, filtered_result_0_data___jobid, filtered_result_1_parameter_job_id): - if orig_job == filtered_job: - job_url_dict[filtered_job] = orig_url - + + for orig_url, orig_job in zip(filtered_result_0_parameter_url, filtered_result_0_data___jobid): + for filtered_job in filtered_result_0_data___jobid: + if orig_job == filtered_job: + job_url_dict[filtered_job] = orig_url + for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections): ## translate scores @@ -403,7 +405,7 @@ def file_detonation(action=None, success=None, container=None, results=None, han ## Custom Code End ################################################################################ - phantom.act("detonate file", parameters=parameters, name="file_detonation", assets=["splunk_attack_analyzer"], callback=detonation_status_filter) + phantom.act("detonate file", parameters=parameters, name="file_detonation", assets=["splunk attack analyzer"], callback=detonation_status_filter) return @@ -428,7 +430,7 @@ def get_file_forensics_output(action=None, success=None, container=None, results if filtered_result_0_item_detonation_status_filter[0] is not None: parameters.append({ "job_id": filtered_result_0_item_detonation_status_filter[0], - "timeout": 10, + "timeout": 3, }) ################################################################################ @@ -449,7 +451,7 @@ def get_file_forensics_output(action=None, success=None, container=None, results ## Custom Code End ################################################################################ - phantom.act("get job forensics", parameters=parameters, name="get_file_forensics_output", assets=["splunk_attack_analyzer"], callback=file_forensics_filter) + phantom.act("get job forensics", parameters=parameters, name="get_file_forensics_output", assets=["splunk attack analyzer"], callback=file_forensics_filter) return @@ -508,10 +510,12 @@ def normalized_file_forensic_output(action=None, success=None, container=None, r ## pair forensic job results with url detonated job_file_dict = {} - for orig_url, orig_job, filtered_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid, filtered_result_1_parameter_job_id): - if orig_job == filtered_job: - job_file_dict[filtered_job] = orig_url + for orig_url, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid): + for filtered_job in filtered_result_0_data___jobid: + if orig_job == filtered_job: + job_file_dict[filtered_job] = orig_url + for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections): ## translate scores From 730fbcaa106fbe8b57b41bb3be3ce80dd14def63 Mon Sep 17 00:00:00 2001 From: Eric Li Date: Wed, 9 Aug 2023 16:46:25 -0700 Subject: [PATCH 02/47] Add playbook Jira_Related_Tickets_Search --- playbooks/Jira_Related_Tickets_Search.json | 544 ++++++++++++++++++ playbooks/Jira_Related_Tickets_Search.png | Bin 0 -> 56200 bytes playbooks/Jira_Related_Tickets_Search.py | 628 +++++++++++++++++++++ 3 files changed, 1172 insertions(+) create mode 100644 playbooks/Jira_Related_Tickets_Search.json create mode 100644 playbooks/Jira_Related_Tickets_Search.png create mode 100644 playbooks/Jira_Related_Tickets_Search.py diff --git a/playbooks/Jira_Related_Tickets_Search.json b/playbooks/Jira_Related_Tickets_Search.json new file mode 100644 index 0000000000..8eb4704bd6 --- /dev/null +++ b/playbooks/Jira_Related_Tickets_Search.json @@ -0,0 +1,544 @@ +{ + "blockly": false, + "blockly_xml": "", + "category": "Related Tickets Search", + "coa": { + "data": { + "description": "Accepts a user or device and identifies if related tickets exists in a timeframe of last 30 days. Generates a global report and list of observables.", + "edges": [ + { + "id": "port_0_to_port_10", + "sourceNode": "0", + "sourcePort": "0_out", + "targetNode": "10", + "targetPort": "10_in" + }, + { + "id": "port_16_to_port_25", + "sourceNode": "16", + "sourcePort": "16_out", + "targetNode": "25", + "targetPort": "25_in" + }, + { + "id": "port_14_to_port_16", + "sourceNode": "14", + "sourcePort": "14_out", + "targetNode": "16", + "targetPort": "16_in" + }, + { + "id": "port_27_to_port_19", + "sourceNode": "27", + "sourcePort": "27_out", + "targetNode": "19", + "targetPort": "19_in" + }, + { + "conditions": [ + { + "index": 0 + } + ], + "id": "port_10_to_port_26", + "sourceNode": "10", + "sourcePort": "10_out", + "targetNode": "26", + "targetPort": "26_in" + }, + { + "id": "port_26_to_port_27", + "sourceNode": "26", + "sourcePort": "26_out", + "targetNode": "27", + "targetPort": "27_in" + }, + { + "id": "port_19_to_port_29", + "sourceNode": "19", + "sourcePort": "19_out", + "targetNode": "29", + "targetPort": "29_in" + }, + { + "conditions": [ + { + "index": 0 + } + ], + "id": "port_29_to_port_14", + "sourceNode": "29", + "sourcePort": "29_out", + "targetNode": "14", + "targetPort": "14_in" + }, + { + "conditions": [ + { + "index": 1 + } + ], + "id": "port_29_to_port_28", + "sourceNode": "29", + "sourcePort": "29_out", + "targetNode": "28", + "targetPort": "28_in" + }, + { + "id": "port_25_to_port_30", + "sourceNode": "25", + "sourcePort": "25_out", + "targetNode": "30", + "targetPort": "30_in" + }, + { + "id": "port_28_to_port_30", + "sourceNode": "28", + "sourcePort": "28_out", + "targetNode": "30", + "targetPort": "30_in" + }, + { + "id": "port_30_to_port_1", + "sourceNode": "30", + "sourcePort": "30_out", + "targetNode": "1", + "targetPort": "1_in" + } + ], + "globalCustomCode": null, + "hash": "39f254669883d18405a03c2000eef5d9e8fe5829", + "nodes": { + "0": { + "data": { + "advanced": { + "join": [] + }, + "functionName": "on_start", + "id": "0", + "type": "start" + }, + "errors": {}, + "id": "0", + "type": "start", + "warnings": {}, + "x": 190, + "y": 0 + }, + "1": { + "data": { + "advanced": { + "join": [] + }, + "functionName": "on_finish", + "id": "1", + "type": "end" + }, + "errors": {}, + "id": "1", + "type": "end", + "warnings": {}, + "x": 190, + "y": 1754 + }, + "10": { + "data": { + "advanced": { + "customName": "input filter", + "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, + "description": "Creates a dataset without None values.", + "join": [], + "note": "Creates a dataset without None values." + }, + "conditions": [ + { + "comparisons": [ + { + "conditionIndex": 0, + "op": "!=", + "param": "playbook_input:search_term", + "value": "None" + } + ], + "conditionIndex": 0, + "customName": "search term exists", + "logic": "and" + } + ], + "functionId": 1, + "functionName": "input_filter", + "id": "10", + "type": "filter" + }, + "errors": {}, + "id": "10", + "type": "filter", + "warnings": {}, + "x": 230, + "y": 148 + }, + "14": { + "data": { + "advanced": { + "customName": "process results", + "customNameId": 0, + "description": "Iterates through the results of the run ticket query to link playbook input search term to their associated tickets.", + "join": [], + "note": "Iterates through the results of the run ticket query to link playbook input search term to their associated tickets." + }, + "functionId": 3, + "functionName": "process_results", + "id": "14", + "inputParameters": [ + "filtered-data:input_filter:condition_1:playbook_input:search_term", + "run_ticket_query:action_result.data" + ], + "outputVariables": [ + "output" + ], + "type": "code" + }, + "errors": {}, + "id": "14", + "type": "code", + "userCode": "\n import re\n from collections import Counter\n\n def traverse_string_in_structure(data):\n \"\"\"\n Return all strings in a Python data structure.\n\n Input: a Python data structure.\n If the input is a string, it is returned.\n If the input is a dictionary, all its values are traversed recursively.\n If the input is a list or tuple, all its items are traversed recursively.\n For other input types, they are not traversed.\n \"\"\"\n if type(data) == str:\n yield data\n elif type(data) == dict:\n for i in data.values():\n yield from traverse_string_in_structure(i)\n elif type(data) in [list, tuple]:\n for i in data:\n yield from traverse_string_in_structure(i)\n else:\n pass\n\n def match_string_in_structure(search_term, data):\n \"\"\"\n Look for exact match of a search term in a Python data structure.\n\n Input:\n search_term: text to be searched, case insensitive.\n data: a Python data structure to be searched, see traverse_string_in_structure().\n\n Output: A boolean value indicating whether search_term is found in data.\n \"\"\"\n for i in traverse_string_in_structure(data):\n if search_term.lower() in i.lower():\n return True\n return False\n\n def match_string_in_jira_ticket(search_term, ticket):\n \"\"\"\n Look for exact match of a search term in a Jira ticket.\n\n Input:\n search_term: text to be searched, case insensitive.\n ticket: a dictionary returned from the \"list tickets\" Jira action. Example:\n {\n \"id\": \"1234567\",\n \"name\": \"JIRA-890\",\n \"fields\": {\n \"votes\": {...},\n \"security\": null,\n \"customfield_1234\": \"Please fix JIRA-890\",\n \"customfield_1235\": null,\n \"customfield_1236\": null,\n ...\n },\n ...\n }\n\n Output: A list of field names in which the search term is found. e.g. ['name', 'votes', 'customfield_1234']\n Most field names can be accessed in ticket['fields'][field_name], with the exception that 'name' can be found in ticket['name'].\n \"\"\"\n\n found_fields = []\n\n # Handle the exception ticket['name']\n if match_string_in_structure(search_term, ticket['name']):\n found_fields.append('name')\n\n # Handle ticket['fields'][field_name]\n for key, value in ticket['fields'].items():\n if match_string_in_structure(search_term, ticket['fields'][key]):\n found_fields.append(key)\n\n return found_fields\n\n def guess_jira_ticket_link(ticket):\n \"\"\"\n Guess the link to Jira ticket.\n\n This function searches the ticket data structure for Jira host name. Then it constructs the link using the /browse/ endpoint.\n\n Input: a dictionary returned from the \"list tickets\" Jira action. Example:\n {\n \"id\": \"1234567\",\n \"name\": \"JIRA-890\",\n \"fields\": {...},\n ...\n }\n Output: a URL that points to the ticket, e.g. \"https://jira.example.com/browse/JIRA-890\"\n \"\"\"\n\n origins = Counter()\n for i in traverse_string_in_structure(ticket):\n matched = re.match('https?:\\/\\/[^\\/]+/', i)\n if matched is not None:\n origins[matched.group()] += 1\n try:\n origin = origins.most_common()[0][0]\n return f'{origin}browse/{ticket[\"name\"]}'\n except (KeyError, IndexError):\n return None\n\n # Group tickets based on search term.\n process_results__output = {}\n for search_term in filtered_input_0_search_term_values:\n process_results__output[search_term] = []\n for ticket_list in run_ticket_query_result_item_0:\n for ticket in ticket_list:\n matched_fields = match_string_in_jira_ticket(search_term, ticket)\n if matched_fields:\n process_results__output[search_term].append({\n **ticket,\n \"matched_fields\": matched_fields,\n \"source_link\": guess_jira_ticket_link(ticket),\n })\n\n", + "warnings": {}, + "x": 0, + "y": 1042 + }, + "16": { + "customCode": null, + "data": { + "advanced": { + "customName": "build output", + "customNameId": 0, + "description": "Extracts relevant data and add them to an observable array.", + "join": [], + "note": "Extracts relevant data and add them to an observable array." + }, + "functionId": 5, + "functionName": "build_output", + "id": "16", + "inputParameters": [ + "process_results:custom_function:output" + ], + "outputVariables": [ + "observable_array", + "summary", + "name", + "description", + "create_time", + "updated_time", + "assignee", + "reporter", + "status", + "ticket_type", + "priority", + "resolution", + "matched_fields", + "source_link", + "source" + ], + "type": "code" + }, + "errors": {}, + "id": "16", + "type": "code", + "userCode": "\n def markdown_escape(string):\n \"\"\"\n Escape a string in Markdown.\n\n Input: a string or an object that can be converted to string using str(). e.g. \"index=* | top\"\n Output: escaped string. e.g. \"index=\\* \\| top\"\n \"\"\"\n\n # Must keep '\\\\' in the first, because it is used to escape other characters\n special_chars = ['\\\\', '`', '*', '_', '{', '}', '[', ']', '<', '>', '(', ')', '#', '+', '-', '.', '!', '|']\n ans = str(string)\n for i in special_chars:\n ans = ans.replace(i, '\\\\' + i)\n return ans\n\n build_output__observable_array = []\n build_output__summary = []\n build_output__name = []\n build_output__description = []\n build_output__create_time = []\n build_output__updated_time = []\n build_output__assignee = []\n build_output__reporter = []\n build_output__status = []\n build_output__ticket_type = []\n build_output__priority = []\n build_output__resolution = []\n build_output__matched_fields = []\n build_output__source_link = []\n build_output__source = []\n\n for key in process_results__output.keys():\n \n for value in process_results__output[key]:\n # Extract fields from ticket object.\n ticket = {}\n ticket['summary'] = value.get('summary')\n ticket['name'] = value.get('name')\n ticket['description'] = json.dumps(value['description']) # eliminate new line issues\n ticket['create_time'] = value['fields'].get('created')\n ticket['updated_time'] = value['fields'].get('updated')\n ticket['assignee'] = value['fields'].get('assignee', {}).get('displayName', '')\n ticket['reporter'] = value.get('reporter')\n ticket['status'] = value.get('status')\n ticket['ticket_type'] = value.get('issue_type')\n ticket['priority'] = value.get('priority')\n ticket['resolution'] = value.get('resolution')\n ticket['matched_fields'] = value.get('matched_fields')\n ticket['source_link'] = value.get('source_link')\n ticket['source'] = 'Jira'\n\n # Extract comments (only included in the observable object, not in other output variables).\n ticket['comments'] = []\n for comment in value['fields']['comment']['comments']:\n ticket['comments'].append(comment['body'])\n \n # Construct observable object\n observable_object = {\n \"value\": key,\n \"ticket\": ticket,\n \"matched_fields\": value['matched_fields'],\n \"source\": ticket['source'],\n \"source_link\": ticket['source_link']\n }\n\n # Add results to VPE code output\n build_output__observable_array.append(observable_object)\n build_output__summary.append(markdown_escape(ticket['summary']))\n build_output__name.append(markdown_escape(ticket['name']))\n build_output__description.append(markdown_escape(ticket['description']))\n build_output__create_time.append(markdown_escape(ticket['create_time']))\n build_output__updated_time.append(markdown_escape(ticket['updated_time']))\n build_output__assignee.append(markdown_escape(ticket['assignee']))\n build_output__reporter.append(markdown_escape(ticket['reporter']))\n build_output__status.append(markdown_escape(ticket['status']))\n build_output__ticket_type.append(markdown_escape(ticket['ticket_type']))\n build_output__priority.append(markdown_escape(ticket['priority']))\n build_output__resolution.append(markdown_escape(ticket['resolution']))\n build_output__matched_fields.append(markdown_escape(ticket['matched_fields']))\n build_output__source_link.append(markdown_escape(ticket['source_link']))\n build_output__source.append(markdown_escape(ticket['source']))\n\n", + "warnings": {}, + "x": 0, + "y": 1220 + }, + "19": { + "data": { + "action": "list tickets", + "actionType": "investigate", + "advanced": { + "customName": "run ticket query", + "customNameId": 0, + "description": "Performs a text search match within Jira.", + "join": [], + "note": "Performs a text search match within Jira." + }, + "connector": "Jira", + "connectorConfigs": [ + "jira" + ], + "connectorId": "1e1618e7-2f70-4fc0-916a-f96facc2d2e1", + "connectorVersion": "v1", + "functionId": 1, + "functionName": "run_ticket_query", + "id": "19", + "parameters": { + "max_results": 1000, + "query": "build_query:formatted_data", + "start_index": "0" + }, + "requiredParameters": [ + { + "data_type": "numeric", + "default": 1000, + "field": "max_results" + } + ], + "type": "action" + }, + "errors": {}, + "id": "19", + "type": "action", + "warnings": {}, + "x": 170, + "y": 684 + }, + "25": { + "data": { + "advanced": { + "customName": "format success report", + "customNameId": 0, + "description": "Formats a summary table with the information gathered from the playbook.", + "join": [], + "note": "Formats a summary table with the information gathered from the playbook." + }, + "functionId": 3, + "functionName": "format_success_report", + "id": "25", + "parameters": [ + "build_output:custom_function:summary", + "build_output:custom_function:name", + "build_output:custom_function:description", + "build_output:custom_function:create_time", + "build_output:custom_function:updated_time", + "build_output:custom_function:assignee", + "build_output:custom_function:reporter", + "build_output:custom_function:status", + "build_output:custom_function:ticket_type", + "build_output:custom_function:priority", + "build_output:custom_function:resolution", + "build_output:custom_function:matched_fields", + "build_output:custom_function:source", + "build_output:custom_function:source_link" + ], + "template": "SOAR retrieved tickets from Jira. The table below shows a summary of the information gathered.\n\n| Summary | Name | Description | Create Time | Update Time | Assignee | Reporter | Status | Type | Priority | Resolution | Matched Fields | Source | Source Link |\n| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |\n%%\n| {0} | {1} | {2} | {3} | {4} | {5} | {6} | {7} | {8} | {9} | {10} | {11} | {12} | {13} |\n%%\n", + "type": "format" + }, + "errors": {}, + "id": "25", + "type": "format", + "warnings": {}, + "x": 0, + "y": 1398 + }, + "26": { + "data": { + "advanced": { + "customName": "escape input", + "customNameId": 0, + "description": "Escapes the input strings to be added to JQL.", + "join": [], + "note": "Escapes the input strings to be added to JQL." + }, + "functionId": 1, + "functionName": "escape_input", + "id": "26", + "inputParameters": [ + "filtered-data:input_filter:condition_1:playbook_input:search_term" + ], + "outputVariables": [ + "search_term" + ], + "type": "code" + }, + "errors": {}, + "id": "26", + "type": "code", + "userCode": "\n # Write your custom code here...\n\n def escape_search_term(search_term):\n \"\"\"\n Escape a string to allow it to be passed as part of JQL.\n\n This function escapes the following characters: \"'\", '\"', '\\t', '\\n', '\\r', and '\\\\'.\n\n Example:\n Function input: search_term=\"abc'def\"\n Function return value: r\"abc\\\\\\'def\"\n Intended JQL snippet: r'''text ~ \"\\\"abc\\\\\\'def\\\"\"'''\n \"\"\"\n ans = search_term\n # Note: escape backslash ('\\\\') at the beginning, since other escapes generate backslash.\n ans = ans.replace('\\\\', r\"\\\\\\\\\")\n ans = ans.replace('\\t', r'\\\\\\t')\n ans = ans.replace('\\n', r'\\\\\\n')\n ans = ans.replace('\\r', r'\\\\\\r')\n ans = ans.replace('\\\"', r'\\\\\\\"')\n ans = ans.replace(\"\\'\", r\"\\\\\\'\")\n return ans\n\n escape_input__search_term = []\n for i in filtered_input_0_search_term_values:\n escape_input__search_term.append(escape_search_term(i))\n\n", + "warnings": {}, + "x": 170, + "y": 328 + }, + "27": { + "data": { + "advanced": { + "customName": "build query", + "customNameId": 0, + "description": "Converts playbook input into a JQL query. The query searches for issues created less than 30 days ago that match at least one playbook input keyword.\n\nThe delimiter is set to '\\\"\" OR text ~ \"\\\"', so when multiple inputs are provided to the playbook, the request queries all keywords using OR in JQL.", + "drop_none": true, + "join": [], + "note": "Converts playbook input into a JQL query. The query searches for issues created less than 30 days ago that match at least one playbook input keyword.\n\nThe delimiter is set to '\\\"\" OR text ~ \"\\\"', so when multiple inputs are provided to the playbook, the request queries all keywords using OR in JQL.", + "separator": "\\\"\" OR text ~ \"\\\"" + }, + "functionId": 1, + "functionName": "build_query", + "id": "27", + "parameters": [ + "escape_input:custom_function:search_term" + ], + "template": "(text ~ \"\\\"{0}\\\"\") AND created > -30d", + "type": "format" + }, + "errors": {}, + "id": "27", + "type": "format", + "warnings": {}, + "x": 170, + "y": 506 + }, + "28": { + "data": { + "advanced": { + "customName": "format error report", + "customNameId": 0, + "description": "Formats a report that contains error message from the run ticket query action.", + "join": [], + "note": "Formats a report that contains error message from the run ticket query action." + }, + "functionId": 2, + "functionName": "format_error_report", + "id": "28", + "parameters": [ + "run_ticket_query:action_result.message" + ], + "template": "SOAR is unable to retrieve tickets from Jira. Error message from Jira:\n```\n{0}\n```", + "type": "format" + }, + "errors": {}, + "id": "28", + "type": "format", + "warnings": {}, + "x": 340, + "y": 1398 + }, + "29": { + "data": { + "advanced": { + "customName": "handle query error", + "customNameId": 0, + "description": "Checks whether the run ticket query action returns an error.", + "join": [], + "note": "Checks whether the run ticket query action returns an error." + }, + "conditions": [ + { + "comparisons": [ + { + "conditionIndex": 0, + "op": "==", + "param": "run_ticket_query:action_result.status", + "value": "success" + } + ], + "conditionIndex": 0, + "customName": "query succeeded", + "display": "If", + "logic": "and", + "type": "if" + }, + { + "comparisons": [ + { + "conditionIndex": 1, + "op": "==", + "param": "", + "value": "" + } + ], + "conditionIndex": 1, + "customName": "query failed", + "display": "Else", + "logic": "and", + "type": "else" + } + ], + "functionId": 1, + "functionName": "handle_query_error", + "id": "29", + "type": "decision" + }, + "errors": {}, + "id": "29", + "type": "decision", + "warnings": {}, + "x": 250, + "y": 862 + }, + "30": { + "data": { + "advanced": { + "customName": "combine reports", + "customNameId": 0, + "description": "Combines reports from success path and error path.", + "join": [], + "note": "Combines reports from success path and error path." + }, + "functionId": 4, + "functionName": "combine_reports", + "id": "30", + "parameters": [ + "format_success_report:formatted_data", + "format_error_report:formatted_data" + ], + "template": "{0}{1}", + "type": "format" + }, + "errors": {}, + "id": "30", + "type": "format", + "warnings": {}, + "x": 170, + "y": 1576 + } + }, + "notes": "Inputs: user, device\nInteractions: Jira\nActions: run query\nOutputs: report, observables" + }, + "input_spec": [ + { + "contains": [ + "user name", + "host name" + ], + "description": "Find tickets in Jira that have mentioned this search term..", + "name": "search_term" + } + ], + "output_spec": [ + { + "contains": [], + "datapaths": [ + "build_output:custom_function:observable_array" + ], + "deduplicate": false, + "description": "An array of observable dictionaries with value, type, score, score_id, and categories.", + "metadata": {}, + "name": "observable" + }, + { + "contains": [], + "datapaths": [ + "combine_reports:formatted_data" + ], + "deduplicate": false, + "description": "An array of reports. One report per reputation category.", + "metadata": {}, + "name": "markdown_report" + } + ], + "playbook_type": "data", + "python_version": "3", + "schema": "5.0.10", + "version": "6.1.0.131" + }, + "create_time": "2023-08-09T23:38:55.771523+00:00", + "draft_mode": false, + "labels": [ + "*" + ], + "tags": [ + "user", + "device", + "host name", + "ticket", + "Jira" + ] +} \ No newline at end of file diff --git a/playbooks/Jira_Related_Tickets_Search.png b/playbooks/Jira_Related_Tickets_Search.png new file mode 100644 index 0000000000000000000000000000000000000000..09b0f69f04b87f366ab6701d876d992bcbc4e992 GIT binary patch literal 56200 zcmce;1z43`*DeZ65Cjz@1yMq}K?Dg2$we(>(VZgQ%_2lWRJt4KMnFIsR9Zp0LqfW{ z_gpCN`+nc|?|sfbd;iDlLY~DF>zQ+oIp#g?agQ0GATN0Xixdk51?2`*N=y+21wxC0 zg64>M75pU#?IsNh3aYxPsHg%|RFp!&&ia|Dg)s^WeW+uIkjxWX0zdMO4^OfwsnQ!M zeS2uVLOJ(#Jori zhp9P)3-7$mqaQy9BHADM}HSS+_dmn%AXmhH2rv|Ip;Hl})(a}7&;4gdC z9PWdqcFIp$%q12nl(}_<ogC%tB7>~uZ>Q!kh%jxpfV>jn^wFF{vf*bfWFQQ2@1KzT6 zsG6L`#^!guYK93?7LSJo1R5I z^2SgxB=O}~C zbX2*|$cpu|4nbe57^^{_$;qKGf@4e+RDV+xG;o9pen`O&3d)r*KNJk`8xQ=5r9dvv zLTFR2Tppu2A}f#DMaE$yj8x_UHB@X6~snp~YC`7I8j48NT z*;(1C1hFV6C{{HWWTs}w4*xu02)W*To+KK}CTzvy;M~BB$RLC#->)-G9GGbGY$s}M3BJ=o@b97dbMrq>{<%?r4cYX6bj9y}zW6KX zXhAFiw!a2V5Q|R4LJkE*7zHXOqU3_QGJY+AOnm&{e7&RdrQW_0o9a_vp2y++1h@eERcC6bL4TH~25YTR0u9 zUHBHRFbXOf@;^xmMO9V0z#D;z%7n}kl=bI{zBqzbsB0J%e$FK1MFITi#%@Jo=R}ha)-!c!xq~{=+ncRjsq9DF@^)=(cBVTd`5M>i5mU)`=K>U zP^f(gD`vQ3BL4f8eL}9`#=Km40oT500GhPAcSCwa(M@B~i}Msl5HwoK>M14SiwF29 z5>c=-%;kv=|86p7EQ$}bmGx2o@290ipkvBPA1*0y|9;pLT46oB5^QW9ZD0b8!3GF&TL^w&C26HeSvg-+*@x${Y{g z9sx43i`3Bk!H~8r zqoBlR!4|qe#T{7ulwaiEG%Dv#Jz;F3fZH42EQi02-f^k{Vw=FkF*K}mET3q z)W)P=m@9>M!w}|=14oN7UZy`5tcI2v#TAAttVaL|l`8A&8<0+a^T~_g9Zi`z^SyAN zGtYn~Kj~a8f~!8#1QhH!U-P6Bn`MPDXym@*i|6JlkxUz^+>}qS_F*)A{yd_vKoe7b zORi%RSLzl8I}}x)(5D-7fsTfczFR*)H;Q z<~$nYL!2T?3|oTOL!L^a;bIm8gM7^_c26%v z-__4gP~si9b^8^HPaFM)w1=vup5nB4rVD0721=lA$5zSH1v}z{v3WrjjC<@nPXm_= z>qVkiG(*+MzrXN=3E57I4Q~u+auRf$L|Ajp8|Z@hNHGbF^^j=J1rv?H2ID@CpiMM> z46|n4lfvpXKX1v6XVueN9kZ{$OfFk|+Age~yEC82cJ4Bzb678Qs$N*LWVU|ORMBpj z?)&=-doRJGU~hZ#_8TUF#MJBkyYplRJ;~=qWG+)<3CT$(qwW(d`(yS+3Ht@-5si%^ zl|PRr+anml=VY)uLxMeK#dyz7$-|n0ALozAE4O{Y5n|LmZ|0c`XbNuMTeDhJ_3g79 z`ta01R1|tl=01jj4L1#X1Ll+(+QMP~izj%HCftKD6CswPNO{4m<285TAl_fk)z5bD zw|4F880Qh&qw)=#gRkDs?(`C8qb?Y1mCCS&6YILE2l21n-tAWxv#OipHjU>~o^Uz6 zQ7Qdc89GjvJU63;oV2v4Nijxv2K*3oydOoDJF_?CcY5(E1^4ln=qS3ME3MV<%OC!@ zMjn!^dxTAQJD_Ez#BA5>aGFFnqzJKVp)OW*l zp{)=w>lDzy^9fL6;S_rKYULJ{S&!Rzb9Pz=BHI}&D#dvotXjpSrN zS6(P2*kBsni7-kFBaK)%zC($IX6tY z=dSNgG4a&de*M*hsTm?nHz6=FG{2X8Q@c(?po%BRdYwp=uHkgut8EjkY`8m~dii7( zamKvQC(oX#Ud*i?#EWu{;^l*^tCoh-UIgX881>8z6&LsIa|w6l2%$PHbi?-@S+a2g zb>VYrlE6`+(WW&pZE9QkKm&+lrzsVpAfO>p(Sc8*gN3(DKBX}@w-eW<@e&*(-7pPP zgDNkLyD7aI4d%}7E_AS*H6Z(*iX{K;{(j&d?n*G|!iXB+G}?5ju+-Kd{7w$h?u7J0 z$dTgm={~pC>VDH6@MnQf=>hJD@e~VQpNjQ$T2%ZoIUQ3W%3#H(i3FAeNKN~-dB>~) zbi9T2<;bcLw*av`YzMz$ev5R*>5q{CM}3wyHmxLF>_owV+9KEvzhZLZ>*{2|_o#to z;`5Q+PRO+dHj}EVa;cA*DvXP^Mg^o^CIk7ycCC%;A^1W&jUQEa2S(RI=#t$uR0`Zg zkKoPA&}uk|#Si^~sRpTvGh+p#H?M_!;%8?Jc08Q z?5%~g;Mi%}?~YXy6Sau=g%goX#e$->_nfU_ho_N9*z#WtE?CUpLRpNH%M$Yv4bHk= z5qCV^AG3b5@@=`!c1~0zYpAJZLgjP!qJbOViCj`@o;JK2e+{j2K)E@rUZ1#?F;1djE^TB88 z6;=g5Vznd$Ie{m*3dZHSumxD%tAz`Www|w{VsyNjgF%IK^M^tKqVUN_e^Iv4e)M7G z_W}=0$q3+wuv!xLKkKcq55NytXdU{$0gy0-J9y;E_n|9);06{ofEyHQH{XI=k+%#3 z0AXa^eD62Bq)?y$mqQxu)PBP$+*Td$Vmr7dRaQEZby7cNs7#aD^L) zV$g;HnL*>h%LVEpT!$_pWfK5W44K^XPkw_&R9#dEzV1ElOU%dtT+ExC@0EXCPJ^m< z!`Ep4z)Ope1r}joX3zSk8#f3k*f;0&@BisV0yseLF(V1sf9%Tx31y-|lQ}ooqZF>D zq!^0Ed;w^i&2)s>&)`L)J7=WOm0y}23p z3BF+qj(m||X)uTYz%vRxY+1;P1QB?B(6Z*D|K*ta1pHq#C!ycQ7*Q#l&Pe6H`dBix z+bl=%yq||l+PdpzK;HRP4FB1==%i>h0hM26=?9n;>`{<+k>MisO3gRfo6-d?r<>$* znr~3xodKw&r7wQO!pzc?SkdxM+z6?u(sGr53q|kqj_^e?vPoS`a*r`ch8=Q2JkC{% zk}+OEfpfKAPP~WYg7FnrQ4@7{e}!~vfhTy72`x4-Fp&wNQyUW|6NE%4dngJks$2|> zBCG6@8PYp@&R&K?8mxlhnpv%^)oZMwQepyl0`A#_R@ydEl^WsxWSsj;6UC#88 z7@d_&VQ*8IjhI zA6qS@d3+t#J?QAvn%mFxc#-(S^mkxsJ_8L z8pg@dQ97Zc?xqr#w(t^-#}5~kV6d1Akb?HyFzhYqF$L}upB(sTLXk};?|cVTBp~yL zNIUO*!m7pK;qME_H!#qq@Bcj-8m^K5Fqz9VtWY_tA6hrMNFdK-%h4BF_-j2 zYnSuprk!(YqGy8$LT=>pyNru_WXRd}>uW|XeUc0ANIRC(e}dxEPNywKD8FNrJ0`j{DC>@4Tu-jScCX;koOp;A}tiB6eh=2 zUu3=V*)Tp=7e`$Av17%)NGAIv&VdX1CvxDzBQDm4edS{22T?xgO_48yvA>k4StLh6 z!&x%2^V3-$s!kQbJCa1X7;NqnTM!p|8Z6!@eN%>z|d=9aS)&@eKk(U z!+eK%{rXODKAP5&+Bjt%zn>Qoo6hu#vRNavE9j@ll`AR%7643TLLw(M3T4@@H%U;a zqHZfujf8=n;k(icc8cQ~(sJeG|)9*b`0G zChU8+tZ-^_Ld3{NOHI`r!hkIR1$=-#UM$oNYS;^%ttAMvX#pB_fdLwF-g>Kzky^yE z6hsDm`zBbY2)zPw^wiM5!NXG;1A3c{es1)J#XfizffjGI(aw|*_KAQ1;*$z!7lObz zd`blm)NyW6PKT$H-NntOFwV3zt{1l|@NVdggRmF(Ch8H#wHC+BC`uwsPEUDwFIupI z>L52vqZn_YG+nJH0mG*UKRaoNa}mSQEM}{b^0Ar8uet#T-J@BU7v(0@I;~;~?vdQs zh}zv4FbQT(5g(h(*=C3Cf+ff9ad!3So!hqO2OTqjj!4m3$7pW1)fMlsyI340{w$8- zJTFG2d7C2}vWF zT|Zj(yuYn%Q!+%iz&iDNLowW@2PHhBmeoO+n& z8v+=jb{%h3USqFoIRL0#dski%a8vfCvZdTuk@=2!k^@ZfMO2XLBaw_&e_>;6qw{*X z$W@V5+-w)r@%t;!>v}kfY#qE)>F!1>w59Vish>4cAk<%k-u1x(lv>WzTbX`bDLTEX zJXpnJc$Jl;0VKTpBNN9wbe}M2xRVSO?el%Wr6rlm$=#B|yZs#=o_;0JK%B>=zsLsZ z%}~Kv1L~OjxST%Sbv?ouTPb%W79LArTh{*z@V){UEpi17{&Y{ZwT>u#oIwK>(i=g2yQ*!s7r9nHngVhl;N#0Q= z6Wtt??mCxt$bhfW2N_SDwoUqW$)gS;KD8m@-V^XKOBO}B&_7}?o>u=RI;t0$#Ra7%b6 zw20{BnBd#TBUw?iew+kN@4~y^2!`zhIF9M8FWhKP=u?v8&`dG#EUo1hlq$ICqAanm z_n5#bZy?Pv_PnCCoY)k+W;cZIQI6_ewj;UGGmoND*AMn-I|VMoY>p zGYG413G0bbkSF6TUo9FRt-!jWBdMhhFr^o&&fLNA2ST48SZIih8H}$K2v0r>z~;sS zj69^IW%|x|3M?Meh9b5!k=3wBrAo8#Q-jQ_MRRMSho|e;{t+lWQ)eA4zACFs|0jNU zm)=a1dG)Bn32VgU+SysjMZn*23WCSAJS%n9J~fnIN@SPd(yZ7cE>80s!dB_iG>xtCQ$j0D}c7=M_;MepArGcTM=z!)TDK1@j*sq+r(*&JaPf21*jCP z8IW+Txgi`tjLRmD{1RX}9Fl~U44g;`9lZybzz_-B?Eva-Qw}=C#SBHVjF;G9yGsaG zcQjX;Fv24jGxcrvh(nTm4!{iu&xT28@j(K2#A*-PXeVuu4hmR<>3SY2U_pD5I-l)Kyi zSmSCe{l5p>{>By%xZ{#J^~yH;asH~-YRbuduIbUXcMT*^!5H)i-g;~nGA{gMtgWCHx@{?m@)bK3%$lc|^j)4Mg z`H^-W-RQvh3B2Y^4pn+rot5QC52tm~xxZot?71&$ygKHJAWo1>DYi}cSSANQjr}O~ zk(SZ-if@VXjiCywagE{Pv{4fnHxjMJ0yxKcClo~1%#gB&Wt{uozQ#>kS?OLWlVQHp z$j);2(POD85n{az&QT!h$Z%V(`Q~MCMGwaQNt>M(xEdLpwQ7JNFz0l-_yG8?C&)Eh zI%?)JR2u*uMLoRu%4P5+4P1yq3EA&d2`X9%5fafEi5&0o_*4GB3Bm1~4Wy7Aii{h^ zaI9{ua|-I^WI}2 zY{Fa)3xbJ;`vIL6)#*MqcvTRH=zUfwjrc|Lz zC-)vTbm!*f8K)qsWJl_?{rvnOE1~DiqT`QywpW;Xwx^d5g&s))Y{qdbJB}OiOv~AR zw0D$g(}mfP@&em*y@a{lsYOpdIpDhMnf;OF;8UM$?5tNqh{gEcLT|~hp2?0MQI^n$ zzdU88H}a=uD525~bOB#V73slpv#CHw_Y!IA<`=fExX~@r_HCV&g5Fj;_1e0p|BBsD z-qh+=Cs>9}Ej>((DwL5&bi}w&RfE(-^kN*&1#LXL7weUZ)dYUvXFLf6R6^S(n11)J zCf8b3Jz}5_*xi%yuu;fu;Td^qCpEq~mZ!*5DwiAIOt&{MpOYIXtxSDLelF%mMpTvT zF23~aBlM%|6N7a%Sdkd%68`cqbB*g6O;7Dkh= z1~&H5*K@pP^ZJFh+>RTL0`U^rI}eXXE9?rCg3UvQf|7oc-yQpE!1<%HaoFqo!}EEI zqI*K}=+_+a$Zv=6c)7e1(~Qfo8X;I*R-;qS4TRPd2^F7D4X~1oRcTXoXYUjtWODl} zb94R9VXk^#o<$a^qCd>lZg2jsNLWCmUAM~kIy<(9ij%;;ozYixtLMdf$JhJ6WYWte zj#P{6A*{~qeTUVrN)W@_0m+-|G2t5v?v`ac*(qj5)1G&VKd}5Xgp)wOn0)p|taQ7<-XeG=!1Fn$GUTy#gkL2*xkUcj@;x^6?7JO#(ZG^lBrBJ z5cXb;7>y3#|$8=EROs^~#^C^$;%BSiLWuII9c~?{UO!0?XJOOGv#*$=s^&;w^d{ zpNOkVM>&!ol^@$GgnPbt?~C_%QKC4|elJ9akb0-)D04fPPEmFF+b;aw`?b5Nx@p;6 zrbg{8LD5x<@C@7Jaiid5geEQ7$0GZ8Bqm;palgnZj!Y#jHS@SuD&NW~Hh$eR?#fZ+ zD^nCQk8^A9o>`eZvG#v-yyDsIDsRKNJl30T?U)sw>3ioi4vKNR_%4ET6S19W$d%I| z4(pD}6jNXB$EU2FIGGR?Coi?`*O)(%Z%*`D&@(ylu}>hc{RY|-NdwqE^}+BFrB4l0 znFXfiw^fTobPiSyJNFtbNBwnuxwxfP-#O8#{V3AiS&sDFm6ohm3E;X}G4rEHc4>d8 z$@O%rC%TTUcIjd8gT+DiLW#G#)!)N{bk9UIf;^*-jxx*-9OXoPx7%r+W+xU|DVev3 zDfaT?*y!{x3`!n7+=#*;;&1$RBsB4JHXvtEwv*|O^1vsv4&}V0%>4RA?nT!_xf~VK zqh0x>kMqXFug{=~SF6M7+o9u~d?0;LC)}Stz#wubI>OVEo)SWdJG8pBF8xKY^ueIg z>HT$Ce&4sB-1t(Ha~IlbSEyG`?rT@I;lnMZ6X@6q4P!0qwj)YhwyMgPRTZngLzU&Y zEO{RvugkienhVLB8iujbEdp4W3%P%;3D2cT2YhM>^$+kuo%q4&Vxw9aWEE0N ztD?uNGi7*O9TZZtWDjM}z6xY82RM{YjTGLgS^^Zpa6;BHISeo2HtZK>L@^3Xw*6rG z>COgL-?|_?)AMH<=h=@6e`0-;@4F`7;?LYF^6S@r{m?}57N$W);GdP#Z@wq|0b|eI ziKfrAl)Ob_miDk@-4mnLzKb>btkH)mY1omm|IFz5@y%VUH#|M8ghaRK%~1u3S(iH` ze|}+28TEL5M&fIlErBjR>YiXV<$tv~^SYserF;Mi1fA&hLfzV(JEV#CuJ|UrJvoy` zV#_H{n}6XEFBrx4en3@@sdkr;ffTN6e@@YV$!%|cH~_TU=@Fgc1?@)hH|>@zShl3x zIdZ@U(S zB4KFlUef*U=VeMc=S%%IM759ksSD5UC|y~qJ?YuTd)v}p6GcFdiq@=%OcE?aBO@`5 z-;o$lLzv|T-{j-AQll#?yCJWTy1jVGS~gE`xh;aH8huu@S?4lql`{o z&s?c3KEbwoIpzoHZ>Woi+W~#l)|pS~4d9nqf3s1i;4$4ujKKMHy^&NI2jI<6(Ik)= zzBEE3FSO6}DI*nDlXc@cl@GFN&2O(mmfi`AAekFnm78yb=dixTRlfaL*0rHzqiy1! zuTk3*E{}xTA%VhN@!w`aLdOPsrLtv$vp7RpLsN5ZAuT9mZ;yL%MT>5KVn5{yTve5= zsOCuVQ)u>M5Qa#5)6u3)8=8R7{6}F@*f%AZ%&#tfvAXRyeuy=nU|*L&5b+%AZhC@!=WwS}V(`U< z$^d|>^6rUJh(V4BM|MQS_6&P_yotg)M89R8r6=HP4{J@iAbr<}du>$L6S`f|9B z&l$UNd=*s)F~Gq!>~~ISxh6Ql=VA^^G{i_`|Hk_xV)E02 zi3({0g!MDrXZDp?3v{%9v=rG--Zv9*&`lj&a`k{b=cfJjhF!9ODugsfY{@zL`Em;j zZz=2zj%B1zr>=4RefNl0-Yo14Z(qQr(3;giF1_UdVsm7N-#V`wyVMXlxcujxI%yS}yRt6SsXoZu5mgj|alZMX)EYA;n+lL2A;N;mGOD=P$|5OTXmN40t$9Ut zYiQ(EVymmGCAKrPAnRGX-3QVJQJR4yEJGWj;MBqIp-v4TyWub zNUoGuo28wU4|P0zNymM4apzN&Y40=jQm2BCa*4TDd*dljPfwQ!J3~m5Gc_i**PMB| z%?I)wf5BJ~8f(?(A|#}wScxQr5-2`fMBrhrx-H}0$$$~mc>oI5}9YE7TTJd9JL_)>Y9(mI?vYewNeqK=4JssO3w~K<)Qk-c(a$4hmN|1WG9uops~BUCP7*II zd$~^=?t`ejT863&nH@mC$PRQ>zABrR+dwn*8eU3eK5m=V^1rY`xcku3cZKWbTB%`P`H!PWU=vpWki^O76s`stH6iiKkg|=FtJU zJVT@F2k|FfLNy9jM_+b3OH>Hzl#o0sdi=arC26$Kz<2$5Lr$FX8x=RiygJB)Lo&C?jqjeqQ{di@wPAHt4*; zf3~24o4WJqB6fL0de5@#DQ>GjNab$7Z{@(XxrTO4T5A|V>=>e7*Kl~Y&t?O;dDrOV zw6l8d4U-qm@p?s($Ifi{?2@kTeG}$K9lQf_=j*{+SwiRHq@<)qjU-tz?xRX1q-0^$ zYjrJc?omfOF6XEF;U>xMIyd2WKYULX>Vo^pupMV?r;CxN*^WH|ZeJXcIYxy|JkIRC zUKYK=ZxYnIdRkO;Sg@cf$me2aZ63bZo5|~{36`#^WiPg(`ZK?6`}UmV2)SItM;8=S zI7qtFQkLImZ-yMf^~X)xQpGD;jq5*YtyRto^6tf?&8n*Eu!d{U@n&e&%wAK^$JtK1HX5K4EQyT4boXUa`@>#vSghTRkV+_kEJ&ZFpay6Y}t38D2qvbmS2XrrZt1Gacg*Qht+HY*j84x~b+CBIt}^ zzGhrnD&KqfZFbGuvL)!Qyz_2Vt-rhUcuOryuN@3lgdeh?D!aBl(jKL8Cfib&zRIUY zMn;yM&iIrV4T}||b6?=wzpx{cLKvhj<5?bhyS?KWYc}9=e7j%ADmpGBX^*+bq7M{o z5gSeKpVP23EPSRxxYBDeU|qL5(_|oe%ZcRT2q}eU2H$*orv$msA^5c8UgS1Ii*KL! zeEv04)Tn}Xg8q4L|J9M5&_BdJzY~%K+~lf2p+{lv^WhZnzV567Q_u;JHpSJ{|G@Iw z9>+r<_V1EqgtS4*n~M(Xgu=VB>qzt7WOsGs^%29DRyM!g9SIduX8)b{E_-sgp)8-v zwT$@*NOH7pGe4sNQiKvdl-OICIViewFLyq}SGRC~)Yi(Y2t6A~akJ>JEx%|?BqP9= zk#5F0s^XYro(J{3Gv60DOm@2Hglu!aC2*usElJQI*PM71p8&a6Txil#dXAF*G0Cs6 zt)s$WXP7gc5kGd{(*u~P3#j?o!SFOn1zexQ?RnmoRglPZqyA~Sx|%A9@(c-P8RY<| zjC2yufr(=+cweAJOkXf*Zx?bpGQ0bbJn$cl1eq_8iU4sL_6B2CSP`pZ-fb`-O5ZZl zslbGb)kGv{u-NT@94OD!NIp{z&E7W_@bW*|jX(yG2CzeQNMb^y(WOrj`F>gq`$ zo^q(@&K^X+E68BIK&U|JAnXKj_z;yyTq#QXL+A%v=w1Hw!aBhnRB6YL8dRaL-;wjM zu4;eK4)i8_+ter2T6OHRAuoR%HlfqKkAn|91RaokA@8RDF^OG31?z%GD zx__4yQ1Dh7Z{D(2iLH4}k#DV(c4TDHjXg6B9Rl;D4rm5{t9PEGZu7}FbIXajA5jPM9#bbe-5Qz6j2WRr@H$KZi7ju}9IfAN0MCe5rd##MNGjEgtY_I-l zK_&0?MM7h|^D^E55n=Yf$;M=cB`Zi`1zdBPwX0;yDi35z53Hy|X(gH<`mDyV`Hcq_Ot363iAdueJcnh%aXfEXL8g9VPC; zOkbETy|uWw8mg+}sq?IBLiB7aIzEwHRXL-+NOhoaHRSz!)ZN{nBPH$zf8NMhQN+0O zmkrLr!QU!)4j>%my-zfdp-95tKoGR`yCC2#^t(R{$adhFAEDb{iFUuHs{@&2`v6P) zTtUSEZ&cy1@&!!1vT9xy*ROGx%|M|c`U-NTICTExmlJ+Ixcm}|F32t^l zPGltp88cIqkhs@f^-rNd2y=q|{A6kUi^?D7pFS1Lxm(4&gug8c^8h3YkV&-*cZQ1g zh8|d$n1%eMI_(T30?q_2E^7>^km|Hs@o?lIf{E%~4?IIXj^?E>?lrht{Od2JKUs$< zHr#H+I1e}1o3%!kRxwX6n*XYj|T{jXRE z^06}@LqGQ<5M58c2}w?aiixK5pp4)GnWJLnU=G_ZhJP&^(7K?;HNsz@0IzM~1N9zn z1&2VG2U4oj?wFSXH5AApn1F4;_a%{OG~oDr1OPuYiyA8Wd%Af85e25~)=cZu-$@i< z3LMa0SK(P8{<`Ro5OOddPafF;IoR(k3(~*c!{r5H!ix)LK_-@3D2VK`WMzv2iJfsf z{;w8|Ty#sr|53O6IOzXB(B=Ib(euA42`skra231V(LjEoG5eq9if(sMfSkvRV1H@` z)MVjE&`FGCv%6P?3jJ~UnNKvB1b^U6x-Dd zfcz{NJxx74J)R3cTZc^5{;!0H|9cHiZ4w{>3Q3~~o$65UVNOpu}uZ{ct(sm$`S zj;{d)CB_{R>h*>2+V(}P4|M9tdFKTd7ccU1DsOL@l*~*Or})}xu7?$$6#a>-%dMgY zCtc*OUOjp|DutY)FMvNoi=-llP!hk+X0!hF&9$0~i>sZ|pNzWYu6u-R`~a)@pi{fH z^CTTiuu{oQ>HZK{_9P67)mqDti}EZZSRwPsjwyjUMZNTyjOHlU;f6mfq_k7u3;dX= zs7k`Ba?S}Uz0TLz^)unW1{{GfE>iiFDs~SIH-rH`lAd9l`jEa`fKRRaKN9u0*A@nO zj+8t3ZwfS247gQyW^F$}y53664MsZRhkMr|g%OCfzW%%kxqh$riAw!>d1CE+kc12uG0A$T?W$y&8%OQ{zl-* zWW67#iApbmog3ZDhV9$qtvxDiue3H`6keWZqUoAs!o%IbpHdD=zB&4YP2p|<^tuYM z+jW!@ydN;Rol|5?F?$ec6L#yUXbt^`oZy>^&1>P4T_~T8L#K9l-iiZtuLieP!nId3Z_kweXc5gCUNxZSY9tIX(DpI8S*DMiszTki$OH^H77tEXxvChg;@h_b6 z+Bj}ZzD@4&5uomaNel~dJz4a#nZDqTwd&Ph5&EO$mRo}$D!m}hB#@*TUG}3bgg^f% z|3H4IxtD!ng7ezoY(}(hXbwE{k>rWg*SBj6V zw%T9`OK6No3|IgZQYbJYt5O(MU)WKENa*dYXwSJ5duRp;t=$Hy*XY1IJUN@s2l#6{P7Ic2ogk<2_p2SNYd1uUgk2IZg({Y;{j(oa&9gop=<%v^53 z@hYT7o(u^R%g4vw0MHkAN?HEJ3v@I);vX>Sqhv%AueXkT;_whA`| zQa4;+*x`jvv7f%XOCPxHVuYrTo26S9gaQEK6bTp_MpedWs5#d5KQy*2Pt4|%|T3akB2X)3(PE=Yy=_{f2c6FK6Vee|mZ$^VU|(`*n;;yLEj3Cwy3N(QI&kC9gBn zqk^Uz+?o>i`W#w=zx$Dkm z$xd5KqVZ{q`{ePx!^I}z98Y;SJkuQP!P7MjUcI$ZW(Aj3P|d=4V$fo{(OJFzSX*@RwIaa?Fvcq zPI^>Y&*0(dl-H}xMoCbP8FY@As+llge!nB7e`k~`@g+ZnEn8McvRu`fm`laDNr&s? zBUL^=z65PLIkTsy5g*%q&t0S@9-Ycn{#s%(&Rv@P%8l56ajt|&u?UwuKa4>VZvyH! z`7P?c@$cXsE_QhqzDQ()YHG&Ij*-m9Y%?EB6B_}t&0dFa@q}m0B`sg8QhIN~ovm^) zQ>eY5Vw{z4y|{&pMR_SeR##U@BtSB*_#-nl6smuWc!CIL^)h&6QgscB2$x>YXI|Gu zWWcdd)%Q?5A?x<)swJoSfNa(WZEfumgQf>bLA?$w=GALeZ^N@d(2bNjcL^TXl)aFX zlaoJ6Gh4ZPS78Av#A2J=0#))7Q-+lS(Wx@JlzF;L;Q02hc&53}7R$|xBcsTu{G=F}R zztco$o8hoMx+`pVc`^(qVT$}w29qdFMsK4Ajkes9qAY*`$Z8ozcb^zEbLxBPslI|D zFWkNE%6__%@fa$2xfj5#{StoNrIKp=a*E>x0oC&((&3M$rS|lrg5_NHI^(})CHg03 zdFpFBsW~J8q$xqB9tMn7aA|$|=xD3f$gRi4n^gzj#p%25KT{v6HSKHpiITwp_^_TD z)`;94bl_=^24CYv#WW=I6fzg%JtaeWU^}$uCmOtiVR64h8-+a(>iiZ6U&Jzz_i?)m zRzO-iBbQO_-4oCAx4|&uls6-{l3#ZwI#xB z6``>3(#;yd zOS(fLIt>GxPxe}#uJc=@piIQglcxS0y*aA{abg~QUVuh%$aA;j{?>7$E;$mRfb`2G zhWrneyLZ?8ghW+L9vG4zFhy1ed#w(=@vaxHoIH<6US1}m??Z}Ut&BT34SCcQw4jk| z4+e_twECE%V!csi`AzHK&!XNvAbzWd1Qt*Q* z($@KQj1vDg8Ck^YXjQrjqLwHJ%hnrc2Cm`9rPtNz?2YeRny$Z?PjVM=>nHXcjfnkf zXu7R@aPD2tOF7uwOJ7JrNR{8blQG>*PLz7D=Z$+$y#3JBS%82kUW&rm|4aa zPt2FH6nFux3B1ihU3zLK>6UcJOkrWq{`KzNpJOhUWK5atp@$rU&oTK1GA83K~Iy zFB%b0y!trPA}b?9E;c>k;t#*v#shN})Jak&$B|vuNlE|#+C{k;vbzAKB|n&khs=L? zTx@7U^#8b_$-i+^f0gR~U7C79y53KC)~R;YRL_Za249CaDEz`6Vq~ZBryzN$3sNHulpc^2P#hyGeO5;+WcGtrp=AThe2GXM%IyLqV};9% zT?RZ;qFL6<{IB+qxax$2$kT%>Ca;RtlZneR2qRjgnH6z~bwFslph$ z>A)fc2pl8DWg`+Es~V*0NbU|#tEP1UTux6MXsZL7rtyMX1n%Wri(ClTklg3nb-Yyl zU1-YI@;bqMKEUG2fxR*T`2@4&rN@Uy$8K|hJUWrAf+TxGA;76M0=di!%}{(F1#GT9 zp4J4!JP3bp9S*g~hv9fmJ&F}X#DPSH3V_DiThaB*iZE$|trL5u^sEZHJ{6^Vpr(WP zcdm8J*#riPRo^xgRzosyFjZhfW1*^lO)1R28jfgIA!Do7sbp8!L|v7+lwa`i91%v$zJQ9 zLJ)+uFMI~EH{9W>ou)fHX;P<|uG3Hr5R z^e%hHO0TW!?LVJTHcZAVXgy;D`b(r=aK#jJ)IF-w98Q{;5PtkHZ1Vi`H2kNaT$$aF z>vnpb>yD*7UsQgiiIqnu`MUx_8W4(JRPiA>t7XrBa#p=1$6~Rc%)`BCu2>~--d|JsK02otrxw#0Mo4JnvS@etJa7wB-HC+ zGG2>l1SScdain?AO6*JKle|Rs61U602CP@^3l7_NJvOQsE=~N{a!;3;t!}5pW4aHX zfB^9?$KukGVr}_7w&>F>X&^n)4b#;<)_lmfarBi#jXnXTp8UiT8Lo=$3TuiaMciin zt5S`{nH(N$@ZEV5!P5;BX$~f5yK&=&-4Or0jQKKk<*$*+wzx9$L^?|MY=PvHuQ^*Y zZ#|a;P7me{-_BuYd37!_o~^mBg~J7%O7b=9b&#^KApX7Q-KK7C`_&VR-wxAUAakDQ zaL;phWVr*#I!uNZV7|*~7~LO*sW>}G!C=8F73*ZN0+q_;R;zX|@U%a;2o#>R7`PDV z?&sZeem^=oYCO{{*9pIMiX~YOSz23@ck7w%>;kh2S>ujIYnanjd8?J;!+cUTAmJ7{ z%t#X(kOUj3NQzHXeJE0m7=)>eWXeazJ}`L%Q*uCgz|Ky8hsQE?`QZ8)*dD{@uYIrn z2W?*&RaM)yOKcRB20^-8LZrL9J47T@KuQ|iqymD3bazW5A&r0_ARvt(-5}kYI`_tS zp7(t3`Eh=HV=x$du-9Jfb>DN%xaKvlg)JwB6`Y40$>QxCdcL{s%J2KR`SLKi;dEKy z^dRq2vdQ&RO>yVxxn)`e(NJDbMj+`ufVJqsp`^hAu%yW0pR;b$a&p@&0ca7732^0@A7*r4>(*dtmO5Y@f_H$ zMF}?Z{FrXbMoHPoql0mWU7`sjl)CvXGt8_)hDRc{N{TsWVTo2wvgUS>Rw_{C**|<{ zrEl&#mE^*{N_2?e@f|`}$FVk%j$fHh3a0q5zi5DjL6M_^<}uzk-!FcignUUQURzcJ zswxNBLx&amuDGYynjVzJAk{J;=Ap!X_&7XQc(JNvY;mMSH>K9y)YR`zN*|n3LitYL zCxiU~m{sx(K{_sKVqgl#)NoRB*j|50=WM9aasMHFfnuKY#P$s4#kni&9@T7bA4FW^ z2{v1hsZr@>9aA`2V2=)azzmOzhwHtu#3%C9cQa|^Y28P=rBh#Y@IvBGzr>d7!#a_V zyY-)8Hd}Gh@$I(bE&3oYCyr#FqFlK*osS)}$tfrrxnJ#ec10=5H0=RCd!4S&4A#G< zj;OcF(HhXF@%LW-)s)*>D2@=87QH`UqbwsRTz;bNK6_ceR3c~>M{;G~cs^gDxCo@6 zv_w4i)wf@iC#X4{Qt+j|F^Z#P#I7 z_7<)p0KscTFYoe4fMwd0y&>kC=6$`tD%YcW@BO`;;qx3_0%27Z{Kx^!vxUWGP z1>p~AYyGv2u_{&H*>X)v*vMs_eMGVs49R_m0;|h1&wJoh;o19JxCa~Y`_0a&;7aLE zTM7FCyq4w?meKixe|a@)abv|xvuVe_zvuF7o1tIixB<=xW}wusTqRifn3oKbue}Hp z6j}i?JEif-OVbc~Nh3Oiu~OIOpb%~5wlcFty+#Y&oB6LYpl$Kys` zu2b7j=30|dJVi?CMnq52UB8%x3orAl^3wsl{>lmn)`4+0(yKEu&&V!42`?#={oN0Y z?bY1RNBOdl+4=T+`sSLUM+uysFs=md=TGOIU=L;~E>28OhZ#hv78pWQvy)JSRl-gi z+(y<%R4Qx*GdpJoqA-;X`rooQ(W(kp4a*OCuX;MoFlgqg$Y)EB$aTQ6u+c&@mlDI3 zpLwrxsT2jHUW6_r&#ue`QaB&+x&yI*6$ry}x(BWK)b1pSUBg<)T9&M2(?wWwR}3@u zP?YV>tc_yP@TR5F$zIzh{8+!Jkx76Wi8fl+-o#!2aC!)$t2Z5-1;+iT&;0P#Vw--7 z{?$T>am_t@zt zP)^sa$&^h%mkbu#X%S6sSxmU2xP*QvMdw_1#M>NYaCmFg&h^K<^}7J?Jk{p)+1MaC4HR7EcYeo_?T5X;NbTHgbvT@DAWXHky{$SGtv9wZs%r2x zjt?gPR>Zc{gU&kX>rng?#ken6S7#EZLupsc1xsV@2T=)5D@K(&sulgyFMBN0L?sE> znbK?z)=o!UWZwmdJp~9+pS2Vw1Q+R*@T;Ju0k#9%UXhRAR=(0P4xHtj1sdB8MPcd% zK>cu27!H33h{+R1ubz9aJk%qg=YcjEl z^-p|)YY=Wa>NtURAYh>LAjx==+S6z)P386Hj~W|Ycu@+C6~l$!kg~2e4OVd-pb!P6 z$8B$u6pEzq!PGByJ}D?^bo#2Y>3`K{(T%_fe>aw3h8Mdavsr=8l{@V@TrKYiU# zq`v33caD2z@c%+St>ZT@#ejv6J!V0=L^3%$lklvi_<4k41?R946`kA}1MzJNF7y@dIR zkx+2-KJF~Hzj*dFIYRF#ypNX81pbqA4!9u6(Dz` zOH@w58^-e`+Q%D_sm;chy4Zhr+8U!)tTI=o zL)9Yo{X0Rmi=Qa-R&kq?)!nl#Vn>1>ZX!_;r0+h5D@yj?wHmhx(p~!|b)|_n z&6FuaFs8{x>@0IvHRc;lG!|&^cau;=ksUL?rUTNuk&c{GPfeVN7-DhBY z=KB$Lv-N(n;xVWOAum4UVUeJ>Y_F-Xj(>bP-9 zZrM@hA%6g3oOhDi2Mx->7W@QRn+u@^jvQ*cspR0;WRxD(f`r)uU&8PpGr;OXpoc8a z^61_acn4lx9@pnM+5{f_3#x0``S9JzP#zAMMz?%>=aG|>TT)`vCp1L?r+ z0PL|7XEu$Gm_&MMsV?m7Y_YtPpeI*333qMFUpa|K@ZZxXEwrG~E>8IxX=AK3D&9la zaV-+t8`oF=fonwd5mD+y$;Quj+J(9vgYs~k zs{-e@5K5IZ=PH+N&$)Zr)@0iGTF`G9luHpKBf}>~D+VKB*|PL1$+UJ2yTJ{Y6D$?d zo;tmUtXCTwy2vG^X_(D3=gxj-@Fu-{hse&&R)%B|$#uMSAa9z|y#W9{yyI7G?~bsb zgV%b!zgt)U06w8b@9~_giX0Uhv7!f52Kt-zvO@%Bdi~-0W7fK9T)^=#0$wiXmee(>{0i{xA0U+f!PSBR z)lx&~`L8S*ED{m$B%J?yZv(YnPp>m#3D2V)j8K=i<|3F0pQ|L012-nI1$>}&pyk&xT0e}cmR+^_?;DnyZ}@K)8u<#oqKvkhErrkMYNbG}^`DBmf3 zv2Qh0nKS}5Qa3P~3HuTufjt+%R zK>a3@fRQSF+J{yOcwB-57T3B-9JhvtrJhJ=egLAlJnqN!SRZg#of`k8+6Ls^)XgX$ z67*`Cnk&O@fP)ihMIK(*v}P0qI#cyL<#0vDzrB!FRt_$%MFb~j3~%ZN%l)UP-Mak| z&1?^8!Ss$IpyfnXPAy{95Ld|p9bAapbmFzd9H%ent$}1as*~LC9;gZup=)1DzXV{A zEN;6_vnu1!e`!vGF`bTR$NfjN1Q_r2H)H%ZEg}gbDpeAX4R%3fHoM&cp`b_NFsD8s zN5H-*>CB9Ja_Y(XZ-4>Kw4iv9EDhPKPkni*rgdyX=+Cob;)(^$@yWE0I6xToWfTNpuJ#rLw>x3?@+o$_AxD^I+Z`{fR|!O&c1a_;B;s4 zE-Gk7`^x7So2&rFL914eo(AbcR=osrk@;O3Of6 zuQ#=X%j`aoXx0o6=^N)2U?d{P7;nDusmAN{=Yyr=u?zaM+1KUHgVg)SEUcj)5dX;c zbYCYh_*T}aj*)&8#-W~?DwTesPvx&a7Kf^k?G2L0yh7pkzX zH!q28)H1`DxZ0<_Q;u$T1)Vj3@h!)zWv3hf9@!_Lnr^ojxEf;+n0iUguS znNT1y?6BH%g}!)FXK#179m23c&s8ucU}&8O7yDw?1AGTRb~bHEF;Ui_(P4-mKor;g zX+C`s+Pyj$<8tA)Q97u*?5YY4s(&ZI7bKIF*+cQR^GA{%NP};II-+3bw$foMYx@Fu4^;l7R-{OPAHn&BN?FoWAMV@9IcNeD`nw8|U;Pi$XBy zw4SFX;|rq77o&>Hzen9beXR?Rj1OOSn1W0^uL0_GHYR>(C0oNi@JWnG>3y?qo{;#X z8T;l_@0rca*7#oBnhC<7qDHO#UPutBiit_O zf89cg+A4aP5^w2Pw-q!PfKR+U_Ju78pDQvDXf{hAALNO7d8?dHcQN1L;= zW~?5~tfptzl*Tn16KGsE!6_dnA35&5U0Mg45j~%2(R|BLPq^Q(X8WQk_%$>!ne+4U zfJICd%RUH}0%GFndPsHRMVOcsp2c{U3A0S5X38HJdSk`ZOt0nOLd2XU7d}$N-&qFr zyNGW_231f&+C*KQSW204-K>+P$OR3qB{74iYBQq%CI7;=nVvJ3tH=X%>j>`2RMod~ zYLT%4fIInzZ$mlDC4{lJC?(2N00ix5bi7x+`k*pHUW0=iZTi!VPaYX4`$blAS%bh4 z2M~eVucRTZ_pleMRIK-T)|xi%6HN@$P1T4l+BY`rrtR$o$eKI$Tj|#w>9A0V2gUeH z0oMhdDse5#Z$j|J^_8AqB*%>MFq!X9z?!-i!v>;u;;G3H6iP-kW@!-!HV25|*B+7< zvWJt59Zk!p59*(LAgQfrp=Loc!M&?&FQJB;E9eiz2#nzm4Vl%42L~(lzcS3VA;oRu zyfXcQD_;A5bcWmD5){+V)1q6)G2}^qi&MnRJ`k$z3j=Ex8sa(BJI*Wb+Pb4a_X8^g z!@RakFzRCycz8-|I(%Mc`^&WpjNTZ>%f-!NY9=ydFk&yKH^RampB(EP=e;q-O%W<; z=3GnZ$~M0Sp3V|oh?REx>gs38O(^N-(_@Mhm62F;!$>+^Yio42@w+4;RA>*r;>|m^VU_tRHf?kfL`eMKoxw1u^saZ3NUaUn=O8$ zpuiPae%-CRAXRUkBHceX8|(Q(yP9-=65bzKP-dHR{EIdq0{l9 zf4|b>_;v}56(1igH0vn?CJK*~2P+~#9b*({c7fkV1ybbCRDwAKe3rvSu=uz6+Et9gYxqQX{m{KB85} zLOpriQkKzHknQxQpeE){lI21!20cFn976dG4{7ZJhV@Z|<-yyD#WtH1_5P)s(`q6@ z^gC$%0gf%57f>s!_XQQ1$?F>%7A-#1FxbY`pzB6+hS5kpM^i)~A+$wS79lNAfHVX7 zq#G@xOl5p((l{k_FZi`Hy2$9m=wVjqgy4kbSV>9XWBz3`OxpqDU7n6_GjdYi=pr8E z9W*=laR(?SmynJ5J#2GnYGA}_WWJYwKFvj(2GV>@{qIn1(xw~<+9JFGH{yN?cN(0F z`zNdJcf)^l-|UaSD~sC+uBIC8E(YEtLnb9E*!9;`VBOk$eDA^+@!Et=A&=u})A$V_ z@U4RXph_YH$lv9_eg$mg`iC|R0X=H*f$UrO(p>+Tptf+JA>T0l{Rsr$MLZvqNa(T! z&fn9bBi^MqX%R#J{RzryR)09Bj!Y(!six6{CCj{_cOC zq1^DaMK|owP2v_3<>OaA103ZqZUtZ8EK*2rC*0KJ=6}CFZ4_7)^FbNIzpH|S*1{3= z=4Qg*KXlOoQ%k5EAo#tIK4MZ}5vb?I>Hq$L6MROV-lh`e&pKg8fYZKldx!St5AT%V z3nx!vE;E7tBVMc z^dVB%?R4E$6KnmDQ}7^xpC2C;lHXV!Bp{G!%wfwoGcc&IS#_A(RDrPn9am8fRfGyZ z7Hy}z9T(S671f^&(U@O=bQu|Lj>6aGShN(S&gm2E<$iDJ%7Piip`u82C%@8N5@plF zjBV3xP1p#l3MwEd=;RK4{3BAtz}*am(T+A#^ah16)&kDS-JsR*sqULi4hIWwXwq=M zOufV+K3bVk_jp8+hP%4%())vR;$ZBi&HXR^J$d(EhUHaMoK|;dVZ+yNoXRKAcvDS+ zs2}exbd9KqSHbPwK31v%azEdvQMcpX{u*sef4GSQm-;yV;59+FN2J(Q+W9-q!01)j z=)kbVrZa{>!Vs1fVQF?B2Uf6j_k*M7EkUws1{_n2qh$M5U9;kCPMoCI`!9qFSx`q? zNANYro@H+npYbMI{=7Tp(evr1dQvX(q48ySwa|%bcbZ5-uxc_BdbCG3<2t)yrIt0G z@r3y4=cz|Ca{8}sYABxabmPC+IAYch=yBjzxUKfg@xc=eGAY(c7mW@ds6x*dN*)gb zS1t8ej(|j7-GJg(8+McBZz}>~x;<*G%e)bDj=Kh`Mh1RJ*wkBD4o#^JriM>5ZrByR zk3HOfRXov9dBFB+VdJe`dfk&k$;RntTMsgvC2a$|!5v)t zTX46zMMw#w(Y+hX^En}e#r7u6Ppg!;(a=3xf34QoK#g)^@Pi) z+5$|uvJ-hsb83%!xS{;vT}d1KFWuQ;u>?k`)=K+noN_P~^1=ugy29ouvECUHid-es zYme>=*$I(Hn#){2!I?GWbvCV{#mQLSe_~R&G%1j@xsdsFm{3w(n3JDt4Kl!F1nq<*5rkCC;EtLErFai5P zV(Pqv*-ffNYll;O(MwSvKm6Uh!*{r;P^SBq7a#Yqj?4>hX6%)V$yzxVE2W?oNWl?QrXuYr4OfqmVO2%kNL18)r3>FLy=!~5l^rCKx@awR>lMhOXi)Z(;#v}LxptU zQhf4IoxC+X-W#r>qaK8`#71*gJ^oY}iCO1s80@-Msg z46@W`ty%JU|o`+Z>@6YA4{LVlLs>D>)9SJLMfLRa7Uz8_9QyG89O+*v+bDSGfw54P(Z zlFe6#>cyev$;fR5?2+{r&x?;8Y8_4sy{OOU$rfbrXv0fm5QyGG5b9N`#N8Pf3|ydRa2ra~zu& z>#t3GXsEsx>#NFpyAc0G54^060fE;kJmX1sanlX0XAPNGi(O}vzz|q2HnIB?$Ms*x zIeUlp$7dT*aBpj)d*c5)Fu%w=ftiub6fPF}0&(YJK|&p7j> zl?l32SGKexhWa-Q-U4AzL!8X!ZvfWA^)WFGLXr5JglJ*6h|m|Lhw<3p+|{E_9Qv^^0>PS{8|L<^F}7}8)^jOfnpCp!_GMpcfoasiO* z;OtX_I;#^_(=nvk_+6tZD3O@N$rI$E*nQ_bYv#Z5TI?N6aGq%*#s0%=^}BT3+#_{f zBU-w6Jpj#v=Rpnf2mwL7og)t#C#pSJcA3#`hMnHM&R)e@>LExC$0Bw~y@DUVqcKt> z;GVR{smjUi=TartVU6xe;&EfFV$H~YOX7y>JmdLl>atlgZ6p9f;G$biSMbkP$ zh}cDTkh#u|2?qh|gIHs+@mM5Va2u9%LcN+^^;|b7(5xOkMh%fRQlZ5np0?@**9|1f zS$U)*@_W1HV*^ZixOcS#wBEaHa_g>!;1X0sv^rqEPZnzN{*_v#QX;gqM&jVhUK)J?Yfz`&-{2pt=Pjh>VcCly$?_|0ek_PeNRS5VY4Zt@)Dum@ z=a{9*S4(l5v^_P>?ZuwFI>Q5N+n4n(zNS9_)sY*LTL-OBQufN?%5jz$hw$2_K(RPa z-^pp@V+etb&E_6I9+U~s8I^#WyIzAc1RP8^KER0TmWZIEM9SH)_9>l9VUV$xia19l zw69O4)~c0-VF1Z3BAHjndt!1Tb5248ZfJa|2&wm9e8D!MB;~|r(?;I!%t5|cC5`}5 zf|Qw>O3YJ=8_?&VaK0>7d-l?(bVCf~cXs&>9iA47^9S$@at1SHouK2!%A-HqP+hZt zB~G|B7@L*&`nQ#93Rf%bVQ+ziBS;7i+$C0NYD>DVV^pvQCb(kVdDUK9WH;M@R;)+>< zWW!s|b_@EF5~sFqIt6;Cl{I-s8DsPFrUGYQhjKF1wX5Dx9+RGr` zgrBeVRv6Cw%JI~^%@zLMKvQdCdE?1J#yyMUDq^Q!qH%i}95%{VmRD8=>YQg37G6DP zVr9(%tZjVKHI)R}mj9KCFLUT_UGA}qs&Wi-{*sWyM;OB;6g6iB%pkO?@UR#jHM zG347ceZrdJW&h1LvNx7>iStp#!EM-VTX@ck4MB@lj%(*7_5*GFr77E1Z>B^Z&dEuX zYC&yn0vq3zP~DE-zU3!B>EUK?Q2}U2#=-Z7{+v3`v!jex-UrAAW%dydT^HI@AzI6CzZ37lwyQe8QCS;S$@Tp?fPYVDK%@SGKIYr}QVi$z z`4B_biEmykULHTsjp@$ps(F#D@xAz&rh%=G-FB0eCbH^^Ix0AO59klMM}`yqUbMy@ zs3f3#Lxwa+BCr6btjHsht1{SpX;|GLab&vQj%%5GkgEs+?S`-VAW0%0;k8w#=fP9@ zXuVrK&vj*^iC3&@jRc|59Iu9lZ3-s%$7uNZ=t@6%usmtB1N@fUB z{8li^bA;!x3m%gd_}jSl$N9vBml5QynI!^Gh5GcfZC9AEmQg+1Ek~Elz{) zw3kXao;ZBg5cs)6Q_#?`kwD7S{@asxJ+fLSwhE*n6p}S8mJlu=5YK(PK62jhE{^8ayi{lTSu8bAKwbH=hWxvKoqw z8NKA*6miHddevXQ+Il;iolLu5(5{)SzxHsM#B#vTy&|=>RU#_byJ5>J;rQI~D*f~A z6&$1Ch|V9o|DHa1nDido0J;570z)l95Gb+aO32jW8OTwQgx}yO=JSjg84K zj+*uN_V?$p>y~5&cPrGLS17Lad)N9pI5;c@JO|^k>_!4-xWppRyS=q%j|Ap-h$?4> znVc>tN^=?-faPY++!o~zA5!MM^uKW{O^}4gHruhEKZ#!Ht}4L1=&GxX#a*YJYqYi) z%Tqi@N|-%X=Q{J>zwgf8k;D>aCLPQf$XBl)nn`n0uyytx4EkWPF>0e_pdsXUIzH zAH2!Eo}6mWN$p(TB+m@!kkJpA^Z=R!Yy16#*dz+ujmN$m?=Z7&Za3@3J`4YHw$00} zWxQ~_vdRB6B-*oai-c%wWJErt*y(o4&k8A3&!t%yhGKp>$fi>WGM&*+p51!+BMOqeRtc~bba$= zp(8XWX8t=ylki^68Tq^VPI8y=aLde(Q>`@*`-B#ph#9M^S6H_u1qIq!(+Vv>dzQB3 zxPF`G^~8PpM8G0{lZIt-CG`2T^d7;`(dMLdN^>TWsjR`HBcs!$xPuN7yRM3wDG$y3 zM5Frm0MS!+I!+c`jZLz{797#hP*%neJ`2xV?P4JRFwE*yaT`xabrX`;`)n1@efWC+ z&N(T{_6uExHRHFs`bvehhx+ zcMV%g=doJgHPd@qBx#tYJ)sw_j`b*19?$zdnf6T*_J+YBst{_-2q(>zkE|VirM4vZ zS8pRxVh15icLzx^_`9cUj!2!e@D(4Iesrmp@xJY^D;mpgOf++w)dgJ-i=*GRWy~ zWa{;9$jJd8u{562Ee_-+4T9CHM5reb;AOJVdJ60C_mXCtd2{CslIzfcfO-%sw!Mva zpo5%@^(Xm8K$-ynpC5RH((mkJ_AbaiNFU&^v^hJE68 z0OR@*bJFpNns?)SR0f6^1nAQ1&dtgVLfC5x7Jx?Wm>`L7KDsbv*vUs+qM-?nQGHo2 zY)l(r7%uEOT7;*>0GMbj^hA(8TI{!_qz|{3%R>%fPmCpI(Ng0@m-*8{Rve|Hr#09` zc<0PxcGEV?AC!bZ?kEqRg@U~7;T(3j_eCysnMo$MRIc)5S^zpxQB;ludnHi{!nWC< znxP_V@qjUFxU*Nl88lwNSs*5+7mJB#8zySy#4 zJSX<8)9by6)i=Ec{x6=b#6`WAj=@3=uT!~on~;r~N98D`0gLs*G$Bgs6&nG>jr=>B zRnvE-o+oM|oJ>0)he7;$6XY=yY!udIPoJ(lM=MQ6C*y>$&^4u^tO~(5Av+A962s-L z<~?r-*m9*SqM~5h67O4QUAo;V^VzMA+V&263Rpo%+8uIWA^PB7SZc|SNLS|VQ&eH`q zVg4d>oxzUa#)=mct9SJ@r!}etwT?y+^e0Rp=!bwqZ#*&eA1#0jg_f=JAZM=%l3Rj^ zhqAd4k=ZOdpVRc5fs}yKWLtvR0`pT$IlLwZSnfC7uqP{2PH4U=@9#7@Ow6)$ay{y* z^J+WA~_&DU9S zn4cc2350O@&9eJeSMxA!m95cq=mo}wxlfPZSNPa}zh5<}1tfxM|0IHz4QxMpsh0{8 z6OHh{exVf=jYuZ{nvO#wJFp6Z%i7g;WtrLD@KFEY*hW*v;Y>-^QT1rqQbX#elCz)0 zbdR3-UIG}`?G*w#USMd}OtZOzzsV>=4VE&&qfjj2gLh?FANG1m^BWo>Pre5ekkoLr z>byq(wGpy7JNw~|vKWx)HR^Ap6IC#E{aS8n+?djC*?S>Mzm6Hh1{qIc#$I41YjN-J z__&y2EL8mYn3v6W%UDN|xP?8`Up6ugdN=KYW@`zlS~}Jdp0$V7^-3LRBy{&y(!0Bm zfAx1LXVE|f1TV9SRjg;qLqV7}&tq#?)kx%g!Wk2dPTSnIBf2d485z^^%o2px*W=5F=Tn-@C^lD5#hGrtgO=-RBk*hmBiVd4Dk+NPk!JO= z8^MA6#rY>Ue+uNU{X5otH=!DB0P&!9WH{k`gU(06evHzkTV&~^1(U^pL~L6(z%bGQpV5DJlCu&BS674Hh zSwXu7TXtGWin-A*Eb_Vf7QZWduQ{`Anc4&_+TWfPxL9mg;9Td!@bCPEI@%RL zOQvYip8U6q_5le#=rssxX#K@Uuvx&`mq)g_|2@wO2GD)jl2fPp`=KJ>0@@WYSN?Vq z+Eaj|`A8$}|Mx@XxbPKUoMpLQ@vgqUu%g%WyhN~;KBgq zX6_q16x@6qI~|hnj=;r^-{nqBmdp_8OB3ka%P&GD3VyrVf0{A2@LrY`q^*7D3HFVz z$MfbpzNN`KX7A81BcL-NTEt1pmck@B`x>#*L?(7s2zi9t^5lrwaUy?*X`Rk$Z!Quo%{^?gm!~0cx zR6c*=83Ix;xFw~L?*Cn@Zg^wn6kF_fEdlIN8hAbGe>KjQz-negQPcm4dhldESSo%T zZb8Q>RD!CDSVH1=*-C(=svkI{pnFPgNrBSo;NXtuiMn_zt@eW^Z&JO7&!mA zZaXmx4=-hUHH0bB!$qOr^Ixb8LtmAWO7kiGB%Fb~KU4Y14qeJ0xZkNl$_^Z1cvR%$ zhCi@ef$_=goG$nL8-O(YS|tq?U}N2Z2)DrP`Rj)fm?1ve|NgQzIp7Czlp90w^0x%b zo8cDJNhkqyn|KWaT`)eUoh7z0@-{L}Wj z?kNqU1_a?P-4^2xgn`aqJiN2VO%j{yajBFdkkZ|~9Eh(}B|;_Lq$)=7w{hCi3E
S`(x~*)ECO_-Lt9I{$ zO_;NaCL!$CqPP2kTar&q>P`^Vx6x^toX@W$V~)3t8HeuNF_hq>{k2yO(g-yU4cw`z z>%F7hx2&v-#twtR^#S7yehbVhgMDk@FG*e1R($?obG%k^j8Nn$V79^kfe$aR>)qv# z9=W=LHFkuB^cWSQr2F@Ozv&8pb8Flq^I3y{hM^(NS?hfrMWOpetJj$5YdT=xCIe1S zPCoPcw$5f>65JsedX0AWt;IJ-LpZE6JWc8z7GZL>=mx51YpB*gFi~6b(RC;eZ&aDr zF-CrmXFK9O{%wxSbkU-_uP=j1lYVGGwmnb8>GJ^yg2oKt55b*oHQnTh0DaF4gDSw{%wlM}iYaN4+_UhvUb5ORUi8w;7~I?!yFPD~>+ zqA1^KA?e+hXWrTg-BkcF-#Ye<)QO+SmohP82n-|omile&)C$`a zTR*M8OQet)P1fbrsajC{_B7NW&%_NIiR~mJBC60!baU|y=g-c|3mnv-yzKe!1esNy`Bx(Me_08Lg^Ntf__s{Q==v(r&Ro}y&ddn>|=m8!9| zN=?-WneJ!%%RRj2xfC4AO=usWrwSg2hrFxc8I6IrZr#d$np9(*AxrU+`jbJX2Mf|U z0!Q=66NYvH(cRO>%7jA2|6(A(8}5Yc5>gn96h!Jp(1}USGy1+Fys#{KljP~+mbTU; zyI;uUkGh!uicHGiGi>q`Nj)nN;^ib-q>n@>wf&9;fQD%ovNWuxt+SS(7vK{f8^Dht z@|6A_+8#UA(#EH{H;;n%0C5C#k#-=;Prmf`XMrhC08Jh;0%&rZ$2z^cyVzlbmhxa> z%#ARPH6lP>eod@kOC*YZFgxhwP+nSZR=CI|ZH&>5&19?MTT&811OUJOyxpN9b`in! zH)CsJ2-|lYBw+I>$uBUc~^o<_w9)3n5;~hLJ&rW*-W(=&BnPvYKT(QauFZ z^%tlDXBDnbrcd)!BVT;qyOk(V5KZpZ{nMuALt~f$%hrdY9>&EQJGU|IJ0~_tTB7lV zPU6AAu)kFd4%9)w(?kUVy za%xGSc*K7Lu7f!wk{n6u#jhOrcZxFN^r&73|d{8T4`ARGv#6AvN;{idn`k!;Q|i1Zu!ns zyUSJ)t@_U{gJW3@RTP``WJLL4jJvriVm~b_UU&DfNaQUYZYl~$ zR_X`GPL;xCVU`E5ZlZBl$P>s1$%~ZcEq)J=Pu6v7#R*z76>rBa)H0fCgI&0zhx%Z> zT2p%B#hbmHy*DH^pOe`XUc?^9+;NZ58mbJf9`%xBwZUlbkdu7tCSBVY^hj@y!N8C| zO`u(rM`l9MK$?^myL4PnZl&`szcz;9>Wt#0oK0rYt*gm8pJ|wb%IfyyrlMBt zPpo5>fic2$EUFqMpK!X^ci2z~#(Q`!@GOw7$=0L-N|ZgJi+SvJn8>}?(=2zFnv9H$ z%Wa2}n8!N*wYsLJB#TZ__UPyqJ8s|X*jv|0n~(RRViKecYix3~fkNaenr_}zB<#*&(!}?w!bHFcWKy+`Xttf=<${ivedAv_hu!NY2&h!&UEtq?q+R44 z#zZB3R~AjA+^x>7oK?`zz{dd9X3TV9YP zW?t>pMLpNU>YoOZL$WE%=t%|zvMC&~)P!J8X^VJgXfab`SdxQmP>V*0&L5a`v>$cChAvovGZ_aDVM1C@&X z_Dd+a+s<763Occt)%PY{|Ax$r6j7TL*18hg>8iw3BR7qmrAud=xp zgV9&FV^&7cAAKHwbey7hYLO9gaIY4r6-6c4LHOcvxba||;WS}Dw{Gj>gnR2OIiFBo z4kFfHDV5am+%hx22xE7uv8dBguUntLld!j5mcB zwZ`R-j8C9ZddgS6d1yf@2qFTcxv!*lKlPQ;4;SDZn6HebT3NWR=z8gK)6huTD)-y$ zRFK$dQn2o9m8F>a=NO&u@;AJ1EhL_kc=|N=pgC)=c*4Z!<0CK1`QCsgm=9wR?|f%-|5;1RtpAMEL!TMP552M6choel@KaY%4n8(t=J zVH->kTdu#sTTRhEeq+e3>~#8dY&8KTPD8B0wBhQDex>cCses#8A}(kPZQaGxf~8WI zuhWlgHspf{)&2}K1|#vb(lZ8|;!~MeVUxX)%v2c_?)g9W-5JxdnIwa|Ne%oTd($Xfuer+Viajo2a z#lI(j6e89l35s?;bB@q}Ajx4rVm8XhPvQ@Hh@@6X4^U&?gpOqTW0oiA8x3K06V|wA z`gg<9MZuS=by4MI!?q2?Kx?Fo}5KzfcL^n>>lP=dE}E z1Gg(%MnRkEJIfm9(3wT1$(>t`7bB#n0q-Uc0-HeGE{7+;BsCw?P~ZTKr=|&Co7C;} z=YlY{{t*LryCKb7axumBCaztql=jI%I9dB7T(98|1np*ip zyT@5s;EavbJ}Jg8{jnJSl6KqS^i;P&DWhL`!mnct`5RkTilf|-AK2st50uW%+Mha<=kLDN3G#)9bH!L zH;aknvZ7kFALaRJ94%jzlkN{l9=hf9&KqqvP(>9gpAO{}Gh^0C6%tRu4!|U$9+{1a z^nXh*)D(4`kz;(%(a-7|6*{7qk=_OigVKGbFlVp%{ZEO^ZU+Bi1miAF^13uQy&qD4 z1X}K9OL%f0j^7T~jhx6Ir&Sy4KDoW1%V4D-geX{JqW@NJC2xux^!2j;)z@=l$xA}f z@Iw%NR$(z`DrD&Q{Z}6L4i}W%8h%r?p|;bN2?6MvbtwxESu==!mE5}Us(SrP$2ayv zC>jYvGC8NYJ$ltF{_p(rO$x%%{h*YTyuOE5n;waLFYJuc5{Z-ASyQ%j-~8dw1Fj|n zfV+_h`L;#4cGDkU48ut(APopduw8PqQyQT8eKvbmV3Q?e0*siyGsI~cfc3sK3nu@K z`uRLZg8=9KBl)3%;)iEh>CnY;6|S@|#WZ8#5RY}1n`19e^dna{2oD3F_45PZTM1zM z)cwe7vmC;A-%TFLGBJNJJM^TyCn-3Rg^sF+SH|xR>V%ybvrw}C*mrrBd(3NEO?GZC ze^~hH>HzY5&h$=K@1|seDGE?<^pHre%JB!G(%SvzcJFy5>~Hs_faL$#eHpxgPvE+) z-KNfr204jM3@21|0~E?e`fpxm${F9|&e?vd{or4DWYFM-cH!C^H~ixVX?60-gZ7b0 zlZBhonS6IKqNJ)`d4PQLToU0dp3k~yDJ~>jS-N`s)tWdnD^rFq^34D;vc46EhfP^D zFa_iB;CG0>Kov%$qf|HN=x()+9*BWqy^iQ;=?r#x60>nkxZd60l&r?Jqlv)~9a@10bO1h5PTW$~GLRPboi8Qtf8p>1sMZ3@}^+9I4^Mx8eGI z;xR*aS`dHPP9YkA>2$HuTw~bT$mQxcc@$jA(kYEa>?)i$bl#VgL{w}y8Oj3r{X;f{ zxC3;o<~sBAbb8c}ZxG16oChAC%4_oofJH9IHpi|Cn&h^A_vK@5Ff&U}0l?W+`M&AG zt!4)Um`oFq)voFw@eg5FDp`TVDtpaa`Sv7#_C^)(b4TRO2K6-yPAN^k#VqEs+%@(&>Iatc=bfuP)9>{vqz0HeVzS^B^4Fa*R0V7;Ew0|CS9 zJp%o@H^A58`^tX!>ua9^fACd_@;90RXstNlBTPu)PyfQLUqK*>PY^@;eV0 z2zl>c&_5mxq^b!)D)VqKcj!OBTwKoo8_WfV67O=9YeH`_9-ij|s%HKGZ>Lu>){eG$ z>P-c|)AT>cXbPMWI{fB!(8YX`nDb1~g+BnI1(x~#PiL1 zh9`Q{Sd$`C>6kiae=G<+V6{`5<8%N2KhRz)9`rA7i6ye_py<#3VA&!f_$~klr~RJ+ z;s0&h$wlBE+8@%?N5{)c-41er{#8*%J{Vmbk;^>!)B>{ z=OT&S+Fk#?7_p_Kt}Uw$G5;)+@{)>w04zP$Qy%*twg+U?y31k3z4U;2WhuEE@} z1Wsd4%1-%s4Qtl@e0#gpd{tbSjDbK@$M-&7|8*7G70DRtKts?<1hTjG+*}&5Hgk3( zN0cdlB@2`^b{_i;Ta_u1GI2H;OF;Ya03u~(q1$Z(+4Xg(t1>~F(-gAzj|n<-QCyY@L8Qp4@fy+ipYiY? zp8_A8dVmJ>rTQYsKKbgME*uH$f8w*9v8x8aesl=E+HCTOFA3ulstKAtIY6K>9U^T& z;;|T;1=A=v3D&T$+lObFxn@boEbbJ@oQ&1!Ke1(+X3PTHz zt8t_EUM(0g6jp0>TRy2AlzIW(+JFPdo8h$IK2uVGXvY~@B((q>Rp#It$zyBUkU`)* zatQ#ddYy3ao0oFG;7+wx0ZF3tHBgx z&sj+;-CutXh}xzLL?X|Mo5B ztk9O*2D7skN!yB#tR^Ss2OrJtCm(&}r;)GS`+zmW4-i+2@xVi|R}g;Nx05nozVP+j zo7T#=sA**NRG0~{chMT5i!aw2x;I_*Ae+?jXiGHEA(AIxruP0jVKdpnbz$Q_}|)&kph<{ zl)TDsLx?AQwz9G^XCc&RH&GCUqe!hoPn{ibH1d)u6x=Bt4SA^x(8pL*Qy(hVzY_C& zF1?KR{D6f8(%T?Q_S6znq^cABT{*&jx4i#g*ZCAfBMxlNO)W{2m&|YOXr11pawc$* zw}V9Mg?BC~=%u9 zf^-10jt0lc*zJnSzA~k}=L-h%djQw%Da@~>YhkIobeajkWa^ovE6+T*OwZG;_xe?z z+1iHj$H)n+8(7c!7xvUV)~}mqu3Pbj45d@eU#S~ym~|NJaL@ihwuqZe+Geox)b-)-n{cd=)YZNAdHTXcM3I%vdi^?G4ncC`Mz5iIW6fzE{9G3A|;E1z_ z9ZzhcR}Ry6pMe-8z_`*bxbSMet&9cE(JUE9_DYI)%Q599%s0;z6dtTYjo*)$S2Dd? z)dp)Zr~D1FkqRfWf}aH+*%tTwZZVXm+s_!lLs%mh0 z0Gup0_ZH;s(7o(X3MFlANs4vTSFQF!ZiTDnMrI^~PkjeVS60rd!H#nCDjF*D5>FM) zhzL$0e%eF<=MVgtQR{%mlREdM><>?M`G^-?Q2Gbf2%zpKCh>eu*LA1>g@Gq*-FR~a zc)C+TD#+%^)^kjsegX{+=Q~@7z0gIRPAc>ZC^RC^RbeLL>$_yyvq<4Ji#w=D-{~PC zOYvMZ=~FpQLk1EwM$((970b8tqB8^x?45|&zIo0HP!N&ZeL~45?Zjc?pL-69Avymh z#vF0ChuglNuPrf~zjez<=Wn)yk)UdCrcS|Cjv9{)ED`c7o*>j*dD)dQ>fH*u(S)By z#7^u*qg5_<_w>+C-fU@WOM0_KBp@6e6%<56mHXCo-2waK4nkST+1Km*MaSMdHK?{a zV`1lE%ky_!PJy_;9|acx>fxUz7xi_yQC-IrJv7{QgD78d5wg$^;Cq?Zb^avV9-Fp!UBKXx^><9 z#G6x2fGml_Cin=qrsn=9Wv^ge4yxqCQIAZrv7@Dxb3 z#?YpFsgH4z#@f{deUrbS=tqR~_|XC$_FQ$A*2%osG|^QQZ{L6X-TSDPX3@q&NE9jSGjU2WqIXJS9gBS zwb-ivK3`Kj;jCNO3{@P*6^>*PM8OSYp(AVvARKKr=ou>C54k3jaXcHoZ?Am~g0>Ds z?Ww&`D!**ZwOyeJ&=z%3hL$VA$CHRP2aAzCGTAtt!HKe~95u<}zFNQ0beI`Eei)o}_%^&kd$&4l*VaJ%L#w`*I<3<-Ho^#XxX0DL z-g?LEIO3(goA_cF59cAV(hu&w}O zDz5(g>sbfs1@RpzbyztU55(JGVMVBi?w8FK^ZBB;PYXVJLSoX)s_sb>sr5zOKpQa; zkCIaw1rO{o$=;DSP>7KFLvjK)d#n$e^J^zsj1G+{`l08ad>yVTi&8%T^AY_=7UQd~ z;z)IgVU0yr9DFNJp~kgWKo=H9A1!lYOfLMqrt=FcyE;MktvTwc>u5z<(R@$KQ0X8q ztrv!PAG0_{QSm-jU!qZ!A-Z<<*zn}JeO}$pVtX=Blk-tHBVOf2o7s0n3z#P^#yX8W z?Bu8^rYe`O6gn5Iv>sGAom&;VI$My?{#@UIVAf$7>s$7BNeaH;780k49YTwbIhZ>2 zb;-5uR2gcsl4{0Ot>wG&P-pFp=QYIptAla-U$}xcPDja$jYjkWghk!1h5E#31SH!4 zC0h`kB!IDF<#C1V;>MgSQc}Vy&W=ou2C>gmM$L-7Gvkjp;DN}5g9bl#I)mn!L+iQj z#-5+1qxuy`=D*4ryJ89_Wy&6qRdzqWt76>2J8OM3oL(7!FzMtghgfdjO{6+?0qS4X z?Si={&hXo8+Ib%~N_K2V9Bb^3HcD}J^W)Ax$2u)Y&p0WCv1>{g#92{}JM8#dH_>4D zn(kk*t_y0!gHxX^lxepPMuSLM5{KzY4kqH)CwdC|`=e$ctqFpy=~K7xj-wl7V&hs*B<-~o5Epdu6PpadsYdTL}+!={_Ea@~yUMcN5A(A5Z$U4`yD`3RwJ->FAPuX_dpw|IhjpOK~>I!bRez-OhUj?G4)p~#U1@{9> z`Q5w{$}-FHG3#0FIl-}93%VG`j^W+F2*9rWgOLZ6#uH{{&@HKHuLr@JTemV*`Ni|wnbTeaf{V^6?uMWvuIqY|<^ zFaM5XOVZ?+{7#D0)av;B^w-Om-(RP{4Hw26rkR3Gzh8vcs0LgY%@bH}%_)-+@R%6X zIA+WsX5kChI1%7~mSwH6<(awE%Awlb%ormTu5Fvn&p?#_K$*^uRm-(lG%Ibh1rK9l zYd_yUt`%1a`i4$_V@#fb3S!L*+g?tc>94)Jq8cc#?oLIsU_EhI8N9gl^XzTWRtAWn zi+XK;vgnMKUZO=*3{I2ig=;x!miTvRg%i(=aChj%I@)IIEAuoq*k^6`ajU4SvOE?% zh>DD4IzBdewYS1u$G;hHJ@)wJxUClzW_05qC)oz9oyNt5*cAm{w6HL@-!urAsIP0E z86pi3VY5+I=T~rhC=(@pmEAIzz7iVNUx3$!+L7{{-J>3OkKG?l#C^dC&xG!P6dG=NXc_na)WYp>tzz}eAR>4 zDcQ*&aCEP%f}IF{VbJyDh{AdJ;`(5{r!mF2GTB;8;5ehPWd$ADfC9|02Y7}lRE}2zG*>z1mL8*IGv0$O{GE$u> z)qFCIOv1yQ4<=_0c`?hj5Xup~$!5K{Ny@`9Z+r!gw?zsoa_}?VWR{LZ^lo5Pf43H+ zfGKQZ)9vi7{p5O$L;iS+inIpOC5|m z^2m;*whpNdQfn`ctPW&AD^gyN&Mvwu4~sWPMn$E4tuX25Q6$qU){3@0mFNX{3~jqi zP&n%(tsKC!J!qpJyiyL+SD}KOd?ik&)QdgYhK%jMQY$Uu`GzAwCkAdl1){AkpY-Er zEUC7$N0@WoQ-hGrV&vWDKW|tO6nHq%ta!W%>EQz_y>8g6dlY*8jaU_yN>o2A0Nb*uY-b(mLo?}4HZAVgg2d>Y4&#WL5sKaI4*&9O3}W736nNK>(-Q~E+Zr4l z(Q$IUJ~^boz4t?*d-Y1Kcqg5{qzX`bhKSZ?gE*Wz<=U(I&z~Y;PK+vvo&DH|d!GDKkZ zIh><>_j-Gz&4*-olot1g;8{69Wz2l)Q}I}NIelx;m+keZd+5Nq=1J2%scpMT`boPt z`B#((HCx%wNb-=us$8jt7SEU-KANXdKZUobJdt!$e2*ey+Et1Kyj%e!?Ey9zc$Gv6 zc+zr^?C`mFpBz~rivfSO7eL>9j}xj^L4ZJe_h_ihh!f|wk2$zsB3Io1C2+Aa9 zPELBtz)y&$@hy0PrRC8x6*3k(Q#U5Y%*guV-vX+~0q1D;=)@Xv)pz>nPF% zSmxUMa=%6jG~Rs47>5Fy2P6oc(YUDdo!vIsCAx$L$>qVWbk-B|`X%h`0te23t#p_jeby;oA;*CJ}b?m)ol!H3^^P*y|hzM~4R@*|}&-1!-oX9^B zPm1jrgV+@TepZT(NK~fZqt|v1%XZzyTu|ubL5nAVd8T>=pewd2_vyAt1OQK^`t8GC zO|18>7f{MeJr|EpFIMM&LNHK~KDTUA;ZG&+k8jl0mFle?#a^u=)2Xj#Pj-Vhj2(7;zBYfFd{g>HTvLJV;s^NOBo2EI`S$^| zsbxLdw!ylL@s&YLd>3dqCF7{$ai;Ow5t_(h?BSb8L3_A5Zsmu{NVQA2GH0`TFF`_y z%26LyzA<_eun#)})^kWfHeHwYZx8yviMPMH>wU8j^*C%GU;I<+>q0@h6wQe1|E=}q z$S^pb-FNJN-Xx*{rVMWuIVBM6@S7v=A_D{2K@4~CFTwTydKrNCduS!VP}ANhAUiAz zbfEZ6I&-Ih;K=VJjiO-r*WXI59#o98W+_hTJx*2+LkjvqjNrq0qDfR4zRH!vBPzCi z;P|7Ucl;AIu zi035$P(KSvpX+~#L0v$z(5qPT;$Bur5$X-ltLiA2nExiUc_G{XMf0@apX<050mOme zeNx&##O&W>z(1VW4AS2*7LseTvPZ6(?g$D z4R*BKocKVmL52dPQ~l`k@Gv^zVDksLVczGDu>mOdj2CLd&8(mM~RKrDC&Ic_Ph;lJRztX>gUB(qzwGke~LB zM&c(?2U?@KdEN*$-S)iyXa#d_evy#O3-ELaLXCcm&}`y{>yM1FLVO=|-|a1#s>NVn16jTf(JK`ehave#G!34nBC!k!+05_3znN$KL-sWvo!PcpKRLS?E)Y9NL z(PME%{^7~+ypRvgTH@Ys5ds)Uf%IS$eMZ02{&z5nBh60ybRm~d6>!Z2$fASBuTX)a zl%Mv08rU+C7e*IMPw$u+0g-f!{|xQM*T`a6>Mlf!sNufiZCoB;(pxa_f#>-Due9g*pT$jxp%(_7_IN0yeBZd49 zAcgWz&>#%{^ZaqN2^y{s_A+dJ{4)PeUwOA~w~A$D_lk7cMT zTcYx0=-EZKgzE$tZ9R@3(@@c2lJPlqoT+(VMfXed@>~(W<9%jCQOxJ-+-O%&P~-5L z0L2kRXPbKR;Vgx6P)W7B5X3|d43IphL`POeop1mvmL@&Bi4K!<(Z;6~ur+UKZca{r zevte{l3W6SaEkW!SHVUVLpQM?xh|72Q#B_f=jJgvX$i1rEFgp@l(u)$2r zc%UtA0kpt83s`@x8BXh^cPoSDC=~FM2iEgcZ+gv2aZ+n)P#;3qy2R3c{`@rX?KtdV zy@B{%wk8@TRNgPY=E)A~tO>a$tzQn{F?ErYr(wEU()z}Fj@)DWzjmD0P%x1qqePC@ z4;Sy**gRBg#(1pXTo=v{inz}TQKPEO!p z_ZJTH+C1Ix>CKkwNC_zuAg8WCH_9u%Kg>7Mk!AvMDR)k%FnVimKFo>8I^Ph;7%6sp zIr_3T?D_2?tv^n-i{wX;+X$2?t6T0w=#S99=UXwc2t?JLrO5(*}LkjQ;+)2~c;?Q=g#sQd4dgzq zZaRGPavL|{?yiO0U5WT12MFfP)WhH^B<`(rUTv{_5)lmp^9GH#45%e#K%n9sEG0E)wY8+MFp?RJC!Cy|^I~abWF`_4AIFRe3JO;DG&)R3bM~zG&h+>O zYxNIdrZE~176I99_lbfZ9kB6opy!YAnRSgYqB}dUH2*km3i@6MKDj&7dj7RnPU!I+ zy14cz4u2mpI4rkqvP>Ua=xB)0dU(y(X#Kn*#kIb^Z+KV~S8(@U%<*b|T2YagS;@RD z|5=fq;n-05BlJnf^D9TNvzo341jr!}CpOlQ8i;Du_0W$8|LibjCUb)bZ*K-o6k)_7vIVQT@uOp4=5Ei!f32gp*RQ5|%jiWHy1NH~SbP{V4 zgPK+h6ns1HK!EH&VLmm5_TTG28dRRtr|WX&+#O+X>I>wO2&o20Z{mDQ3(sVB>eg(7 zw{nP_MP};i0M4%&zd%7W1k9`L4y?)(ImOP|ivZ8-?Z8QdcuG*j7&4j`(cL(|(iFCB z$$XnP@S_hgK12|qMgU>2c=1!?&ON82-5?nlqFaM$)(va6vDrYeVWWW2AMeuvo}y%x z`5^WYnSHiv0CyaI&GO zG-qBfSiGfXR@)$J>Biv<)d!T}QewdHGd0nCj^by6CW@@BQ_jAnH7k zqKpMEjX1)l=4CN8zHw(ugw1r+`%y-ArJse|y;MAWRs&o}Cn-PS2Y6`nAxe#J*%1F0nQm7S;p;hpde66@B~_OkOva z^7rmBUs-;jpf(aT3FxQv$!14*aZ!<-e@;GGFC2f0LBXpzs1XM(wyxP~RQx*BS!Xoe zO8msAD_$`*{i+ifsX$7`av=jNe;jY$&p-UtPWZ_~{gw*r^?ubJvl;HmaBcfgEys16 zk^^(AIVeMbcYgql*vBpfNlMXz0-KQV!SD{=Rr2)4xHCI8&GXdNrH^FhDOYYrNO0a1 zP-@vZ+D}#!7IJ-aenxxfu$9stwd@`j`}F)^QMl)UFkj@)Uqhn80(+z-{Up$>fI&?* zTR)*NQ2akid?FWJjCO<~!IF*WYCL<9T9l37%~Luk>380Sgh4Q z;Xbr}VZO2%Q2L(*29*Md66PH zzP3OP>2rZRtqT&XUOgVFBIwoe)xn=FIKoGu)maavXF3KEw4 zEA8BcumSeke5AUlhDaFMe6V5x_Guv4l7+S*$Ulp@ffRLpte`dcO955*1_)Ez3 zcleKO;k>5V==9!;ua9n^RnP=N3^%*vCP>2HXX(i&b)y|W6gk`ssbT~{#uj8$sc&-| z&feK!ydZuECOI|=o40=U+zh~5!N0+|;32ReJIcHJI)G@MkE-Gv^6h0oBzx(MjAm)K z^*p5Dw0EG{-V8^DEUVb`jBHp8{?`J&hKx*JA!R90xY8mifexKm=%s-;1gILWRvWtv z+?(DHb*p$+vbkE=-maNRHr;Y-Ug&{TU-5_)Fs8h+A8i^k(t>490-fDD;$7Qf@&lkM~xQy?pDUClH! zI+Y`1P^j}q&r*51d5C9EUkzeZKza^Py*2Iep|aH0ElPDcMWJWiAdE^)xP^&`1d`vq zz0JfO)Pc`5{6WON0 zFreE7iF9pD>}Bj+I1euJtH(Pe_vnVVei$9M-sLeLc?u5hmbTq7* ze7{*!Xpm!g(HM=GXOlW_l-7q=pLtunb8g4s2Hkc;J~L{8jr>{V7t@daS@haMGpL$B zZRMJL_hw8HD(r+WQQ2#`$iom*-=dqygRs$<7~^9(6nr*ob9NRvo_Ss*EL1&5pVAz9 zUhCaa7bTKWj=i|JsAijOA=HJaA??5HX(}NU7C4Ozr25M?*s-&te_C-yNNa_h; zDSaw7wNYPpH~Y*|CQ~dE2Sm56wKa8Z?d=^Nvz*-EnarGlXTd{YhjgFLLhi@ZZRp3t zuI^!Jw)XbA9Z9k>=W@g27Ngz4%b?qpdue;JItCaoLR6P7gWApJdYPT~wy8Xkt_0j` zAOuEXEuyVKdTuIoyYGvH8wSo-x=*}*!1SpwBsXcXD73p#O4S9=%uM^qex${sHLdp^ zT4Zr%fcMZ7q@iB}4gi|6VEFQgH`VNfn(TGbs%7l_1%gKkn>h1jP#o2`N2(fxHioI~{*93n@%c53s6zWd4D)E|UK3)t7#7 zIYO?tNH*N~lkM~`rR-%$tr;@pRx@Y)SrJ!@CtWWC2GwRaK^3eEgc<*Xq#-jve-IRI zUwBMzpbx1Vr;f3!jWT6&L;Zh=SU^E$9{&I%Qw zYQ)Pw>Bb?N(4odUAIjID1}b2^xP4ba{?SEw^m`E48RNf;(fIojq>TTGlrd7-kA_tC|3-Xxw(>?k zPskpzER5XxXE~G2pP>(ijG$f4X?R}9xLev8nhzXqO)h`ETWv<04>-GJKyK~7!bs4xuK|nZ zmCXnLh9~$@5linPZdNtAi!;6h5OGU4PU2w|GC}NVi0Ypx8nYR_0*3OaUDdXN2fKs+ z(KkV^8wlIUcLT|IRo9Tybc4~o3zr8zu<{K4Ur%9+T3R^Bo5AZcTep2+Dv>3*ipk}1)?H@X)rUF&Rb@S*+HLbl*j#fE(4ExHntmqeF*> zQy`gokskZDS!Khbr*77pSOe9m!MIlQ)}LvpP|>5&RtGfMLuKmMR)cl(3_pDSs1_I6 z+$?=~xJVV#80ZbYmOHV|rpXJY79ccX%!QvrjoRAmM7`TLKM>}d?x-OfAq{+Mg{yp& zuF+USjogiQ8DG9MEi{EVBns85xW}chl18h zBck)2JR_RWm69|ff_KHADX;y9-V?-+q(*`01sc3WaDbQJkj8aaExdcX#B*(&9iJ7` z=eQeFY)2RJ0j7bba225(-0mft8WnkhSsSC_gF+^HIrb z$a_%%_mV|4kJnTzVy~~pUjDY+US3)hVp^hZR=P*Rw-}w@UTAR^2*4K&+cmq%vdSbT z;q_s*#?()X8omp3E>+FfiCRNf2pJvkH-g23GkS-*qpLk!TA9**?v?%2+3{;b!!DCD zSso3WWTi~y;R2JVGN-4Ob4}AHRb7hccrO%DkzL_ScrjLp>wbp2KzpWq-VjG^rd)V| zNoT0zui{>By`6Pu^^P#y{JH+#iU*Lk5AwML(DLP44ZiAA<~Du28}9O$ak|wvZmeUo z^A-;7JbiU&S-jT&ZoI^|ypel9$bYqQqtG|(0D^WVW#UNMuYH;VZ#O~IvYu3+vrM}M z5Q82$b?j1nf71vblaoiLfZy<%=glAFjS~A;jeC17*M_>oKDrlEonSnh$my>5Bwy++ z%*X+~;kceXYifjz+0`#<&<3nz%HXwM(?u_8q0tKy5>41tc{g$4dZ~I~o6^9>}o5tYZQa zq3h;ZihU*ntK8;QMtwW)1i_mE-+&>;b#T+Bwaf)aMg=E;Ra#($)8=q7t}=X1BN`nH zGpS6J0Lz{c&b~}W^tF3O$uE5t{4-gR*U!P;qGi3^Tj*4IjB%5H$#4Yd$w{a>^?pefsP$LB*0&yB_Wv;!BJv5 zs=l+D^;*(p@?fe09KKd5GIZ=(Yb27<4L)b? zMhC5hyIm>0$a*mjlUWGeRi0#7#<-@^vT0On$~anfD4HkQJTzox9yk88b%}UYe>BRx zebMoY6`U&yhi`X~2Cg!C^j@HH{{um(-meKK%hC1s1)<%3RJOl9r^Y%?}7Z@E9LQD~| zZk|t^3v&;%9o=hmwj{7QTo{e{uHUM{2b;?+%biy%cBs8}`_7#ZFqWSFG;>n3eG6BY zN&fr=Kb+=`!nZ>wT#~xWmLttN?0+FiErEKx?8Sc6>}@6~om08-vUp>}(H0?zFYw;kfTJD+%3vnR zfeK-x`N(6NUdJsk&9&)Kjz7-?_5Nbl*UGtr(_?kp%KalUaMmKu_Mrh)RO6?7w&NjW z&*`D=Dl~r04HroM%9ti5kLgZvk}+AK_VgLSn@y8j;sQUDCU5k7>oa)nN2k}6|Jj7r{w6s7b{glu0N6KD6`Cnf0Hw!*y=Q^&Y*$zXDd z){*=bob>2x=SiY&1?w%{{rR#s{rI;(R2k%wuq)ZeO2WUfVi#4gx1CarB_gI~NiiLT zHz^4#?;xuM^?h&5h?!bVS81QjC;fO$St3QQ3|~wsi6yDcTq}w=n)Y;we4TQPIOxU3e5cFsv zTFcG?InT*zLuDJGH$BRh%X_EFrpfrpqhQvx91+SwhWbg<;5@9w1Zn95%)t>HELEAR7SRODRh%5=?JD4nhC;y+--l zHpmx7TCfO~#_{u=VxuntA}r!gN;NSvv$owDu>bmEEEn1qny8y}`E3G=P~5Z$f1xq| zzC#o=W)YnPf`9$gReDBKyTlgGEIr0FP3-3_I;|;9#bK(;{U8|18;N fKs)_Mqatu4l&rpES=>QE{wMudPCWaO&WHa6A?x|D literal 0 HcmV?d00001 diff --git a/playbooks/Jira_Related_Tickets_Search.py b/playbooks/Jira_Related_Tickets_Search.py new file mode 100644 index 0000000000..0a5c31fa52 --- /dev/null +++ b/playbooks/Jira_Related_Tickets_Search.py @@ -0,0 +1,628 @@ +""" +Accepts a user or device and identifies if related tickets exists in a timeframe of last 30 days. Generates a global report and list of observables. +""" + + +import phantom.rules as phantom +import json +from datetime import datetime, timedelta + + +@phantom.playbook_block() +def on_start(container): + phantom.debug('on_start() called') + + # call 'input_filter' block + input_filter(container=container) + + return + +@phantom.playbook_block() +def input_filter(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("input_filter() called") + + ################################################################################ + # Creates a dataset without None values. + ################################################################################ + + # collect filtered artifact ids and results for 'if' condition 1 + matched_artifacts_1, matched_results_1 = phantom.condition( + container=container, + conditions=[ + ["playbook_input:search_term", "!=", None] + ], + name="input_filter:condition_1", + delimiter=",") + + # call connected blocks if filtered artifacts or results + if matched_artifacts_1 or matched_results_1: + escape_input(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_1, filtered_results=matched_results_1) + + return + + +@phantom.playbook_block() +def process_results(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("process_results() called") + + ################################################################################ + # Iterates through the results of the run ticket query to link playbook input + # search term to their associated tickets. + ################################################################################ + + filtered_input_0_search_term = phantom.collect2(container=container, datapath=["filtered-data:input_filter:condition_1:playbook_input:search_term"]) + run_ticket_query_result_data = phantom.collect2(container=container, datapath=["run_ticket_query:action_result.data"], action_results=results) + + filtered_input_0_search_term_values = [item[0] for item in filtered_input_0_search_term] + run_ticket_query_result_item_0 = [item[0] for item in run_ticket_query_result_data] + + process_results__output = None + + ################################################################################ + ## Custom Code Start + ################################################################################ + + import re + from collections import Counter + + def traverse_string_in_structure(data): + """ + Return all strings in a Python data structure. + + Input: a Python data structure. + If the input is a string, it is returned. + If the input is a dictionary, all its values are traversed recursively. + If the input is a list or tuple, all its items are traversed recursively. + For other input types, they are not traversed. + """ + if type(data) == str: + yield data + elif type(data) == dict: + for i in data.values(): + yield from traverse_string_in_structure(i) + elif type(data) in [list, tuple]: + for i in data: + yield from traverse_string_in_structure(i) + else: + pass + + def match_string_in_structure(search_term, data): + """ + Look for exact match of a search term in a Python data structure. + + Input: + search_term: text to be searched, case insensitive. + data: a Python data structure to be searched, see traverse_string_in_structure(). + + Output: A boolean value indicating whether search_term is found in data. + """ + for i in traverse_string_in_structure(data): + if search_term.lower() in i.lower(): + return True + return False + + def match_string_in_jira_ticket(search_term, ticket): + """ + Look for exact match of a search term in a Jira ticket. + + Input: + search_term: text to be searched, case insensitive. + ticket: a dictionary returned from the "list tickets" Jira action. Example: + { + "id": "1234567", + "name": "JIRA-890", + "fields": { + "votes": {...}, + "security": null, + "customfield_1234": "Please fix JIRA-890", + "customfield_1235": null, + "customfield_1236": null, + ... + }, + ... + } + + Output: A list of field names in which the search term is found. e.g. ['name', 'votes', 'customfield_1234'] + Most field names can be accessed in ticket['fields'][field_name], with the exception that 'name' can be found in ticket['name']. + """ + + found_fields = [] + + # Handle the exception ticket['name'] + if match_string_in_structure(search_term, ticket['name']): + found_fields.append('name') + + # Handle ticket['fields'][field_name] + for key, value in ticket['fields'].items(): + if match_string_in_structure(search_term, ticket['fields'][key]): + found_fields.append(key) + + return found_fields + + def guess_jira_ticket_link(ticket): + """ + Guess the link to Jira ticket. + + This function searches the ticket data structure for Jira host name. Then it constructs the link using the /browse/ endpoint. + + Input: a dictionary returned from the "list tickets" Jira action. Example: + { + "id": "1234567", + "name": "JIRA-890", + "fields": {...}, + ... + } + Output: a URL that points to the ticket, e.g. "https://jira.example.com/browse/JIRA-890" + """ + + origins = Counter() + for i in traverse_string_in_structure(ticket): + matched = re.match('https?:\/\/[^\/]+/', i) + if matched is not None: + origins[matched.group()] += 1 + try: + origin = origins.most_common()[0][0] + return f'{origin}browse/{ticket["name"]}' + except (KeyError, IndexError): + return None + + # Group tickets based on search term. + process_results__output = {} + for search_term in filtered_input_0_search_term_values: + process_results__output[search_term] = [] + for ticket_list in run_ticket_query_result_item_0: + for ticket in ticket_list: + matched_fields = match_string_in_jira_ticket(search_term, ticket) + if matched_fields: + process_results__output[search_term].append({ + **ticket, + "matched_fields": matched_fields, + "source_link": guess_jira_ticket_link(ticket), + }) + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.save_run_data(key="process_results:output", value=json.dumps(process_results__output)) + + build_output(container=container) + + return + + +@phantom.playbook_block() +def build_output(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("build_output() called") + + ################################################################################ + # Extracts relevant data and add them to an observable array. + ################################################################################ + + process_results__output = json.loads(_ if (_ := phantom.get_run_data(key="process_results:output")) != "" else "null") # pylint: disable=used-before-assignment + + build_output__observable_array = None + build_output__summary = None + build_output__name = None + build_output__description = None + build_output__create_time = None + build_output__updated_time = None + build_output__assignee = None + build_output__reporter = None + build_output__status = None + build_output__ticket_type = None + build_output__priority = None + build_output__resolution = None + build_output__matched_fields = None + build_output__source_link = None + build_output__source = None + + ################################################################################ + ## Custom Code Start + ################################################################################ + + def markdown_escape(string): + """ + Escape a string in Markdown. + + Input: a string or an object that can be converted to string using str(). e.g. "index=* | top" + Output: escaped string. e.g. "index=\* \| top" + """ + + # Must keep '\\' in the first, because it is used to escape other characters + special_chars = ['\\', '`', '*', '_', '{', '}', '[', ']', '<', '>', '(', ')', '#', '+', '-', '.', '!', '|'] + ans = str(string) + for i in special_chars: + ans = ans.replace(i, '\\' + i) + return ans + + build_output__observable_array = [] + build_output__summary = [] + build_output__name = [] + build_output__description = [] + build_output__create_time = [] + build_output__updated_time = [] + build_output__assignee = [] + build_output__reporter = [] + build_output__status = [] + build_output__ticket_type = [] + build_output__priority = [] + build_output__resolution = [] + build_output__matched_fields = [] + build_output__source_link = [] + build_output__source = [] + + for key in process_results__output.keys(): + + for value in process_results__output[key]: + # Extract fields from ticket object. + ticket = {} + ticket['summary'] = value.get('summary') + ticket['name'] = value.get('name') + ticket['description'] = json.dumps(value['description']) # eliminate new line issues + ticket['create_time'] = value['fields'].get('created') + ticket['updated_time'] = value['fields'].get('updated') + ticket['assignee'] = value['fields'].get('assignee', {}).get('displayName', '') + ticket['reporter'] = value.get('reporter') + ticket['status'] = value.get('status') + ticket['ticket_type'] = value.get('issue_type') + ticket['priority'] = value.get('priority') + ticket['resolution'] = value.get('resolution') + ticket['matched_fields'] = value.get('matched_fields') + ticket['source_link'] = value.get('source_link') + ticket['source'] = 'Jira' + + # Extract comments (only included in the observable object, not in other output variables). + ticket['comments'] = [] + for comment in value['fields']['comment']['comments']: + ticket['comments'].append(comment['body']) + + # Construct observable object + observable_object = { + "value": key, + "ticket": ticket, + "matched_fields": value['matched_fields'], + "source": ticket['source'], + "source_link": ticket['source_link'] + } + + # Add results to VPE code output + build_output__observable_array.append(observable_object) + build_output__summary.append(markdown_escape(ticket['summary'])) + build_output__name.append(markdown_escape(ticket['name'])) + build_output__description.append(markdown_escape(ticket['description'])) + build_output__create_time.append(markdown_escape(ticket['create_time'])) + build_output__updated_time.append(markdown_escape(ticket['updated_time'])) + build_output__assignee.append(markdown_escape(ticket['assignee'])) + build_output__reporter.append(markdown_escape(ticket['reporter'])) + build_output__status.append(markdown_escape(ticket['status'])) + build_output__ticket_type.append(markdown_escape(ticket['ticket_type'])) + build_output__priority.append(markdown_escape(ticket['priority'])) + build_output__resolution.append(markdown_escape(ticket['resolution'])) + build_output__matched_fields.append(markdown_escape(ticket['matched_fields'])) + build_output__source_link.append(markdown_escape(ticket['source_link'])) + build_output__source.append(markdown_escape(ticket['source'])) + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.save_run_data(key="build_output:observable_array", value=json.dumps(build_output__observable_array)) + phantom.save_run_data(key="build_output:summary", value=json.dumps(build_output__summary)) + phantom.save_run_data(key="build_output:name", value=json.dumps(build_output__name)) + phantom.save_run_data(key="build_output:description", value=json.dumps(build_output__description)) + phantom.save_run_data(key="build_output:create_time", value=json.dumps(build_output__create_time)) + phantom.save_run_data(key="build_output:updated_time", value=json.dumps(build_output__updated_time)) + phantom.save_run_data(key="build_output:assignee", value=json.dumps(build_output__assignee)) + phantom.save_run_data(key="build_output:reporter", value=json.dumps(build_output__reporter)) + phantom.save_run_data(key="build_output:status", value=json.dumps(build_output__status)) + phantom.save_run_data(key="build_output:ticket_type", value=json.dumps(build_output__ticket_type)) + phantom.save_run_data(key="build_output:priority", value=json.dumps(build_output__priority)) + phantom.save_run_data(key="build_output:resolution", value=json.dumps(build_output__resolution)) + phantom.save_run_data(key="build_output:matched_fields", value=json.dumps(build_output__matched_fields)) + phantom.save_run_data(key="build_output:source_link", value=json.dumps(build_output__source_link)) + phantom.save_run_data(key="build_output:source", value=json.dumps(build_output__source)) + + format_success_report(container=container) + + return + + +@phantom.playbook_block() +def run_ticket_query(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("run_ticket_query() called") + + # phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + ################################################################################ + # Performs a text search match within Jira. + ################################################################################ + + build_query = phantom.get_format_data(name="build_query") + + parameters = [] + + parameters.append({ + "query": build_query, + "max_results": 1000, + "start_index": 0, + }) + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.act("list tickets", parameters=parameters, name="run_ticket_query", assets=["jira"], callback=handle_query_error) + + return + + +@phantom.playbook_block() +def format_success_report(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("format_success_report() called") + + ################################################################################ + # Formats a summary table with the information gathered from the playbook. + ################################################################################ + + template = """SOAR retrieved tickets from Jira. The table below shows a summary of the information gathered.\n\n| Summary | Name | Description | Create Time | Update Time | Assignee | Reporter | Status | Type | Priority | Resolution | Matched Fields | Source | Source Link |\n| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |\n%%\n| {0} | {1} | {2} | {3} | {4} | {5} | {6} | {7} | {8} | {9} | {10} | {11} | {12} | {13} |\n%%\n""" + + # parameter list for template variable replacement + parameters = [ + "build_output:custom_function:summary", + "build_output:custom_function:name", + "build_output:custom_function:description", + "build_output:custom_function:create_time", + "build_output:custom_function:updated_time", + "build_output:custom_function:assignee", + "build_output:custom_function:reporter", + "build_output:custom_function:status", + "build_output:custom_function:ticket_type", + "build_output:custom_function:priority", + "build_output:custom_function:resolution", + "build_output:custom_function:matched_fields", + "build_output:custom_function:source", + "build_output:custom_function:source_link" + ] + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.format(container=container, template=template, parameters=parameters, name="format_success_report") + + join_combine_reports(container=container) + + return + + +@phantom.playbook_block() +def escape_input(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("escape_input() called") + + ################################################################################ + # Escapes the input strings to be added to JQL. + ################################################################################ + + filtered_input_0_search_term = phantom.collect2(container=container, datapath=["filtered-data:input_filter:condition_1:playbook_input:search_term"]) + + filtered_input_0_search_term_values = [item[0] for item in filtered_input_0_search_term] + + escape_input__search_term = None + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + def escape_search_term(search_term): + """ + Escape a string to allow it to be passed as part of JQL. + + This function escapes the following characters: "'", '"', '\t', '\n', '\r', and '\\'. + + Example: + Function input: search_term="abc'def" + Function return value: r"abc\\\'def" + Intended JQL snippet: r'''text ~ "\"abc\\\'def\""''' + """ + ans = search_term + # Note: escape backslash ('\\') at the beginning, since other escapes generate backslash. + ans = ans.replace('\\', r"\\\\") + ans = ans.replace('\t', r'\\\t') + ans = ans.replace('\n', r'\\\n') + ans = ans.replace('\r', r'\\\r') + ans = ans.replace('\"', r'\\\"') + ans = ans.replace("\'", r"\\\'") + return ans + + escape_input__search_term = [] + for i in filtered_input_0_search_term_values: + escape_input__search_term.append(escape_search_term(i)) + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.save_run_data(key="escape_input:search_term", value=json.dumps(escape_input__search_term)) + + build_query(container=container) + + return + + +@phantom.playbook_block() +def build_query(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("build_query() called") + + ################################################################################ + # Converts playbook input into a JQL query. The query searches for issues created + # less than 30 days ago that match at least one playbook input keyword. + # + # The delimiter is set to '\"" OR text ~ "\"', so when multiple inputs are provided + # to the playbook, the request queries all keywords using OR in JQL. + ################################################################################ + + template = """(text ~ \"\\\"{0}\\\"\") AND created > -30d""" + + # parameter list for template variable replacement + parameters = [ + "escape_input:custom_function:search_term" + ] + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.format(container=container, template=template, parameters=parameters, name="build_query", separator="\\\"\" OR text ~ \"\\\"", drop_none=True) + + run_ticket_query(container=container) + + return + + +@phantom.playbook_block() +def format_error_report(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("format_error_report() called") + + ################################################################################ + # Formats a report that contains error message from the run ticket query action. + ################################################################################ + + template = """SOAR is unable to retrieve tickets from Jira. Error message from Jira:\n```\n{0}\n```""" + + # parameter list for template variable replacement + parameters = [ + "run_ticket_query:action_result.message" + ] + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.format(container=container, template=template, parameters=parameters, name="format_error_report") + + join_combine_reports(container=container) + + return + + +@phantom.playbook_block() +def handle_query_error(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("handle_query_error() called") + + ################################################################################ + # Checks whether the run ticket query action returns an error. + ################################################################################ + + # check for 'if' condition 1 + found_match_1 = phantom.decision( + container=container, + conditions=[ + ["run_ticket_query:action_result.status", "==", "success"] + ], + delimiter=None) + + # call connected blocks if condition 1 matched + if found_match_1: + process_results(action=action, success=success, container=container, results=results, handle=handle) + return + + # check for 'else' condition 2 + format_error_report(action=action, success=success, container=container, results=results, handle=handle) + + return + + +@phantom.playbook_block() +def join_combine_reports(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("join_combine_reports() called") + + if phantom.completed(action_names=["run_ticket_query"]): + # call connected block "combine_reports" + combine_reports(container=container, handle=handle) + + return + + +@phantom.playbook_block() +def combine_reports(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("combine_reports() called") + + ################################################################################ + # Combines reports from success path and error path. + ################################################################################ + + template = """{0}{1}""" + + # parameter list for template variable replacement + parameters = [ + "format_success_report:formatted_data", + "format_error_report:formatted_data" + ] + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.format(container=container, template=template, parameters=parameters, name="combine_reports") + + return + + +@phantom.playbook_block() +def on_finish(container, summary): + phantom.debug("on_finish() called") + + combine_reports = phantom.get_format_data(name="combine_reports") + build_output__observable_array = json.loads(_ if (_ := phantom.get_run_data(key="build_output:observable_array")) != "" else "null") # pylint: disable=used-before-assignment + + output = { + "observable": build_output__observable_array, + "markdown_report": combine_reports, + } + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.save_playbook_output_data(output=output) + + return \ No newline at end of file From f1bc527581243540ec02789ba8659b43c34a002b Mon Sep 17 00:00:00 2001 From: Eric Li Date: Wed, 9 Aug 2023 17:05:46 -0700 Subject: [PATCH 03/47] Add yml --- playbooks/Jira_Related_Tickets_Search.yml | 25 +++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 playbooks/Jira_Related_Tickets_Search.yml diff --git a/playbooks/Jira_Related_Tickets_Search.yml b/playbooks/Jira_Related_Tickets_Search.yml new file mode 100644 index 0000000000..3df13e0100 --- /dev/null +++ b/playbooks/Jira_Related_Tickets_Search.yml @@ -0,0 +1,25 @@ +name: Jira Related Tickets Search +id: bd20698c-42d6-45ec-b7a0-fc356d624bdf +version: 1 +date: '2023-08-09' +author: Eric Li, Splunk +type: Investigation +description: "Accepts a user or device and identifies if related tickets exists in a timeframe of last 30 days. Generates a global report and list of observables." +playbook: Jira_Related_Tickets_Search +how_to_implement: This input playbook requires the Jira connector to be configured. It is designed to work in conjunction with the Dynamic Related Tickets Search playbook or other playbooks in the same style. +references: + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ +app_list: + - Jira +tags: + platform_tags: + - user + - device + - host name + - ticket + - Jira + playbook_type: Input + vpe_type: Modern + playbook_fields: [] + product: + - Splunk SOAR \ No newline at end of file From 90f7a714d6c87b3a5539937891901dc888b75e68 Mon Sep 17 00:00:00 2001 From: Eric Li Date: Wed, 9 Aug 2023 17:11:38 -0700 Subject: [PATCH 04/47] Fix typos in ServiceNow_Related_Tickets_Search.yml --- playbooks/ServiceNow_Related_Tickets_Search.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/ServiceNow_Related_Tickets_Search.yml b/playbooks/ServiceNow_Related_Tickets_Search.yml index 5cf7e82961..1b4808a1f4 100644 --- a/playbooks/ServiceNow_Related_Tickets_Search.yml +++ b/playbooks/ServiceNow_Related_Tickets_Search.yml @@ -6,11 +6,11 @@ author: Patrick Bareiss, Splunk type: Investigation description: "Accepts a user or device and identifies if related tickets exists in a timeframe of last 30 days. Generates a global report and list of observables." playbook: ServiceNow_Related_Tickets_Search -how_to_implement: This input playbook requires the ServiceNow connector to be configured. It is designed to work in conjunction with the Dynamic Related Tickets Seach playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the ServiceNow connector to be configured. It is designed to work in conjunction with the Dynamic Related Tickets Search playbook or other playbooks in the same style. references: - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ app_list: - - Splunk + - ServiceNow tags: platform_tags: - user From bcb28ec561bf9696c7aac65bb22dae78c2c4bbc6 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 16 Aug 2023 17:30:08 +0200 Subject: [PATCH 05/47] Splunk_Attack_Analyzer_Dynamic_Analysis_Fix_Bug --- ...lunk_Attack_Analyzer_Dynamic_Analysis.json | 64 +++++++++---------- ...Splunk_Attack_Analyzer_Dynamic_Analysis.py | 50 ++++++++------- 2 files changed, 59 insertions(+), 55 deletions(-) diff --git a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json index f5c4981c8f..b9e343bec0 100644 --- a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json +++ b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json @@ -156,7 +156,7 @@ "targetPort": "15_in" } ], - "hash": "13864bdc7ea935acde9ad6f1be501217c7197c4f", + "hash": "cb5ebab4cfc30aa2e25d82bca5228e99b9153608", "nodes": { "0": { "data": { @@ -172,7 +172,7 @@ "type": "start", "warnings": {}, "x": 200, - "y": -6.394884621840902e-14 + "y": -1.2789769243681803e-13 }, "1": { "data": { @@ -263,9 +263,9 @@ "join": [], "note": "Queries SAA for information about the provided vault_id(s)" }, - "connector": "Splunk Attack Analyzer", + "connector": "Splunk Attack Analyzer Connector for Splunk SOAR", "connectorConfigs": [ - "splunk attack analyzer" + "splunk attack analyzer app" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -273,7 +273,7 @@ "functionName": "file_detonation", "id": "12", "parameters": { - "file": "playbook_input:vault_id" + "file": "filtered-data:saa_input_filter:condition_2:playbook_input:vault_id" }, "requiredParameters": [ { @@ -286,11 +286,7 @@ "errors": {}, "id": "12", "type": "action", - "warnings": { - "config": [ - "Reconfigure invalid datapath." - ] - }, + "warnings": {}, "x": 340, "y": 320 }, @@ -306,9 +302,9 @@ "join": [], "note": "Queries SAA Forensics data relative to the JobID of URL(s) or File(s) needs to be detonated." }, - "connector": "Splunk Attack Analyzer", + "connector": "Splunk Attack Analyzer Connector for Splunk SOAR", "connectorConfigs": [ - "splunk attack analyzer" + "splunk attack analyzer app" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -317,7 +313,7 @@ "id": "15", "parameters": { "job_id": "filtered-data:detonation_status_filter:condition_1:file_detonation:action_result.data.*.JobID", - "timeout": "3" + "timeout": "2" }, "requiredParameters": [ { @@ -367,7 +363,7 @@ "errors": {}, "id": "17", "type": "code", - "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_file_forensic_output__file_score_object = []\n normalized_file_forensic_output__scores = []\n normalized_file_forensic_output__categories = []\n normalized_file_forensic_output__score_id = []\n normalized_file_forensic_output__file = []\n normalized_file_forensic_output__job_id = []\n \n ## pair forensic job results with url detonated\n job_file_dict = {}\n\n for orig_url, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid):\n for filtered_job in filtered_result_0_data___jobid:\n if orig_job == filtered_job:\n job_file_dict[filtered_job] = orig_url\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n file = job_file_dict[job]\n categories = [item.get('Description') for item in detections]\n \n normalized_file_forensic_output__file_score_object.append({'value': file, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_file_forensic_output__scores.append(score)\n normalized_file_forensic_output__categories.append(\", \".join(categories))\n normalized_file_forensic_output__score_id.append(score_id)\n normalized_file_forensic_output__file.append(file)\n normalized_file_forensic_output__job_id.append(job)\n \n", + "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_file_forensic_output__file_score_object = []\n normalized_file_forensic_output__scores = []\n normalized_file_forensic_output__categories = []\n normalized_file_forensic_output__score_id = []\n normalized_file_forensic_output__file = []\n normalized_file_forensic_output__job_id = []\n \n ## pair forensic job results with url detonated\n job_file_dict = {}\n\n for orig_file, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid):\n for filtered_job in filtered_result_0_data___jobid:\n if orig_job == filtered_job:\n job_file_dict[filtered_job] = orig_file\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n file = job_file_dict[job]\n categories = [item.get('Description') for item in detections]\n \n normalized_file_forensic_output__file_score_object.append({'value': file, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_file_forensic_output__scores.append(score)\n normalized_file_forensic_output__categories.append(\", \".join(categories))\n normalized_file_forensic_output__score_id.append(score_id)\n normalized_file_forensic_output__file.append(file)\n normalized_file_forensic_output__job_id.append(job)\n \n", "warnings": {}, "x": 340, "y": 1260 @@ -427,7 +423,7 @@ "errors": {}, "id": "19", "type": "code", - "userCode": "\n # Write your custom code here...\n build_file_output__observable_array = []\n\n for _vault_id, external_id, file_object in zip(normalized_file_forensic_output__file, normalized_file_forensic_output__job_id, normalized_file_forensic_output__file_score_object):\n #phantom.debug(\"vault: {} id: {}\".format(_vault_id, external_id))\n observable_object = {\n\n \"value\": _vault_id,\n \"type\": \"hash\",\n \"reputation\": {\n \"base_score\": file_object['base_score'],\n \"score\": file_object['score'],\n \"score_id\": file_object['score_id'],\n \"confidence\": file_object['base_score'] #Attack Analyzer's score has confidence baked in.\n },\n \"classifications\": file_object['categories'],\n \"source\": \"Splunk Attack Analyzer\",\n \"source_link\":f\"https://app.twinwave.io/job/{external_id}\"\n }\n build_file_output__observable_array.append(observable_object)\n \n", + "userCode": "\n # Write your custom code here...\n build_file_output__observable_array = []\n\n for _vault_id, external_id, file_object in zip(normalized_file_forensic_output__file, normalized_file_forensic_output__job_id, normalized_file_forensic_output__file_score_object):\n #phantom.debug(\"vault: {} id: {}\".format(_vault_id, external_id))\n observable_object = {\n\n \"value\": _vault_id,\n \"type\": \"hash\",\n \"reputation\": {\n \"base_score\": file_object['base_score'],\n \"score\": file_object['score'],\n \"score_id\": file_object['score_id'],\n \"confidence\": file_object['base_score'] #Attack Analyzer's score has confidence baked in.\n },\n \"classifications\": file_object['categories'],\n \"source\": \"Splunk Attack Analyzer\",\n \"source_link\":f\"https://app.twinwave.io/job/{external_id}\"\n }\n build_file_output__observable_array.append(observable_object)\n #phantom.debug(\"build_file_output__observable_array: {}\".format(build_file_output__observable_array))\n", "warnings": {}, "x": 340, "y": 1620 @@ -437,6 +433,8 @@ "advanced": { "customName": "saa input filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Determine branches based on provided inputs.", "join": [], "note": "Determine branches based on provided inputs." @@ -477,11 +475,7 @@ "errors": {}, "id": "2", "type": "filter", - "warnings": { - "config": [ - "Reconfigure invalid datapath." - ] - }, + "warnings": {}, "x": 230, "y": 148 }, @@ -490,6 +484,8 @@ "advanced": { "customName": "url status filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Filters url detonation results.", "join": [], "note": "Filters url detonation results." @@ -526,6 +522,8 @@ "advanced": { "customName": "file forensics filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Filters successful file detonation job forensic results.", "join": [], "note": "Filters successful file detonation job forensic results." @@ -569,9 +567,9 @@ "join": [], "note": "Queries SAA for information about the provided URL(s)" }, - "connector": "Splunk Attack Analyzer", + "connector": "Splunk Attack Analyzer Connector for Splunk SOAR", "connectorConfigs": [ - "splunk attack analyzer" + "splunk attack analyzer app" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -579,7 +577,7 @@ "functionName": "url_detonation", "id": "3", "parameters": { - "url": "playbook_input:url" + "url": "filtered-data:saa_input_filter:condition_1:playbook_input:url" }, "requiredParameters": [ { @@ -593,11 +591,7 @@ "id": "3", "type": "action", "userCode": "\n # Write your custom code here...\n\n", - "warnings": { - "config": [ - "Reconfigure invalid datapath." - ] - }, + "warnings": {}, "x": 0, "y": 320 }, @@ -606,6 +600,8 @@ "advanced": { "customName": "detonation status filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Filters successful file detonation results.", "join": [], "note": "Filters successful file detonation results." @@ -650,9 +646,9 @@ "note": "Queries SAA Forensics data relative to the JobID of URL(s) or File(s) needs to be detonated.", "reviewer": "" }, - "connector": "Splunk Attack Analyzer", + "connector": "Splunk Attack Analyzer Connector for Splunk SOAR", "connectorConfigs": [ - "splunk attack analyzer" + "splunk attack analyzer app" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -684,6 +680,8 @@ "advanced": { "customName": "get jobid forensic filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Filters successful url detonation job forensic results.", "join": [], "note": "Filters successful url detonation job forensic results." @@ -797,10 +795,10 @@ ], "playbook_type": "data", "python_version": "3", - "schema": "5.0.9", - "version": "6.0.0.114895" + "schema": "5.0.10", + "version": "6.1.0.131" }, - "create_time": "2023-07-03T11:44:44.497724+00:00", + "create_time": "2023-08-16T15:27:27.772206+00:00", "draft_mode": false, "labels": [ "*" diff --git a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py index bf00f75984..4521a5252c 100644 --- a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py +++ b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py @@ -31,7 +31,8 @@ def saa_input_filter(action=None, success=None, container=None, results=None, ha conditions=[ ["playbook_input:url", "!=", ""] ], - name="saa_input_filter:condition_1") + name="saa_input_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: @@ -43,7 +44,8 @@ def saa_input_filter(action=None, success=None, container=None, results=None, ha conditions=[ ["playbook_input:vault_id", "!=", ""] ], - name="saa_input_filter:condition_2") + name="saa_input_filter:condition_2", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_2 or matched_results_2: @@ -62,15 +64,15 @@ def url_detonation(action=None, success=None, container=None, results=None, hand # Queries SAA for information about the provided URL(s) ################################################################################ - playbook_input_url = phantom.collect2(container=container, datapath=["playbook_input:url"]) + filtered_input_0_url = phantom.collect2(container=container, datapath=["filtered-data:saa_input_filter:condition_1:playbook_input:url"]) parameters = [] # build parameters list for 'url_detonation' call - for playbook_input_url_item in playbook_input_url: - if playbook_input_url_item[0] is not None: + for filtered_input_0_url_item in filtered_input_0_url: + if filtered_input_0_url_item[0] is not None: parameters.append({ - "url": playbook_input_url_item[0], + "url": filtered_input_0_url_item[0], }) ################################################################################ @@ -83,7 +85,7 @@ def url_detonation(action=None, success=None, container=None, results=None, hand ## Custom Code End ################################################################################ - phantom.act("detonate url", parameters=parameters, name="url_detonation", assets=["splunk attack analyzer"], callback=url_status_filter) + phantom.act("detonate url", parameters=parameters, name="url_detonation", assets=["splunk attack analyzer app"], callback=url_status_filter) return @@ -102,7 +104,8 @@ def detonation_status_filter(action=None, success=None, container=None, results= conditions=[ ["file_detonation:action_result.status", "==", "success"] ], - name="detonation_status_filter:condition_1") + name="detonation_status_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: @@ -152,7 +155,7 @@ def get_url_forensics_output(action=None, success=None, container=None, results= ## Custom Code End ################################################################################ - phantom.act("get job forensics", parameters=parameters, name="get_url_forensics_output", assets=["splunk attack analyzer"], callback=get_jobid_forensic_filter) + phantom.act("get job forensics", parameters=parameters, name="get_url_forensics_output", assets=["splunk attack analyzer app"], callback=get_jobid_forensic_filter) return @@ -171,7 +174,8 @@ def get_jobid_forensic_filter(action=None, success=None, container=None, results conditions=[ ["get_url_forensics_output:action_result.status", "==", "success"] ], - name="get_jobid_forensic_filter:condition_1") + name="get_jobid_forensic_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: @@ -384,15 +388,15 @@ def file_detonation(action=None, success=None, container=None, results=None, han # Queries SAA for information about the provided vault_id(s) ################################################################################ - playbook_input_vault_id = phantom.collect2(container=container, datapath=["playbook_input:vault_id"]) + filtered_input_0_vault_id = phantom.collect2(container=container, datapath=["filtered-data:saa_input_filter:condition_2:playbook_input:vault_id"]) parameters = [] # build parameters list for 'file_detonation' call - for playbook_input_vault_id_item in playbook_input_vault_id: - if playbook_input_vault_id_item[0] is not None: + for filtered_input_0_vault_id_item in filtered_input_0_vault_id: + if filtered_input_0_vault_id_item[0] is not None: parameters.append({ - "file": playbook_input_vault_id_item[0], + "file": filtered_input_0_vault_id_item[0], }) ################################################################################ @@ -405,7 +409,7 @@ def file_detonation(action=None, success=None, container=None, results=None, han ## Custom Code End ################################################################################ - phantom.act("detonate file", parameters=parameters, name="file_detonation", assets=["splunk attack analyzer"], callback=detonation_status_filter) + phantom.act("detonate file", parameters=parameters, name="file_detonation", assets=["splunk attack analyzer app"], callback=detonation_status_filter) return @@ -430,7 +434,7 @@ def get_file_forensics_output(action=None, success=None, container=None, results if filtered_result_0_item_detonation_status_filter[0] is not None: parameters.append({ "job_id": filtered_result_0_item_detonation_status_filter[0], - "timeout": 3, + "timeout": 2, }) ################################################################################ @@ -451,7 +455,7 @@ def get_file_forensics_output(action=None, success=None, container=None, results ## Custom Code End ################################################################################ - phantom.act("get job forensics", parameters=parameters, name="get_file_forensics_output", assets=["splunk attack analyzer"], callback=file_forensics_filter) + phantom.act("get job forensics", parameters=parameters, name="get_file_forensics_output", assets=["splunk attack analyzer app"], callback=file_forensics_filter) return @@ -511,10 +515,10 @@ def normalized_file_forensic_output(action=None, success=None, container=None, r ## pair forensic job results with url detonated job_file_dict = {} - for orig_url, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid): + for orig_file, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid): for filtered_job in filtered_result_0_data___jobid: if orig_job == filtered_job: - job_file_dict[filtered_job] = orig_url + job_file_dict[filtered_job] = orig_file for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections): @@ -622,7 +626,7 @@ def build_file_output(action=None, success=None, container=None, results=None, h "source_link":f"https://app.twinwave.io/job/{external_id}" } build_file_output__observable_array.append(observable_object) - + #phantom.debug("build_file_output__observable_array: {}".format(build_file_output__observable_array)) ################################################################################ ## Custom Code End ################################################################################ @@ -646,7 +650,8 @@ def url_status_filter(action=None, success=None, container=None, results=None, h conditions=[ ["url_detonation:action_result.status", "==", "success"] ], - name="url_status_filter:condition_1") + name="url_status_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: @@ -669,7 +674,8 @@ def file_forensics_filter(action=None, success=None, container=None, results=Non conditions=[ ["get_file_forensics_output:action_result.status", "==", "success"] ], - name="file_forensics_filter:condition_1") + name="file_forensics_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: From 52c5800476830e29529981fde46832e12054c681 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 18 Aug 2023 12:54:25 -0700 Subject: [PATCH 06/47] yml and updates --- ...ows_ad_abnormal_object_access_activity.yml | 60 +++++++++++++ ...s_ad_privileged_object_access_activity.yml | 85 +++++++++++++++++++ 2 files changed, 145 insertions(+) create mode 100644 detections/endpoint/windows_ad_abnormal_object_access_activity.yml create mode 100644 detections/endpoint/windows_ad_privileged_object_access_activity.yml diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml new file mode 100644 index 0000000000..ad520f4985 --- /dev/null +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -0,0 +1,60 @@ +name: Windows AD Abnormal Object Access Activity +id: 71b289db-5f2c-4c43-8256-8bf26ae7324a +version: 1 +date: '2023-06-01' +author: Steven Dick +status: production +type: TTP +description: Windows Active Directory contains numerous objects. A statistically significant increase in +access to these objects may be evidence of attacker enumeration of Active Directory. +data_source: +- Windows Security Event ID 4662 +search: '`wineventlog_security` EventCode=4662 +| `windows_ad_abnormal_object_access_filter` +| stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName +| eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev +| eval limit = round((average+(standarddev*3)),0), user = SubjectUserName +| where ObjectName_count > limit +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)`' +how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be aware +Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that +frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. +known_false_positives: Service accounts or applications that routinely query Active Directory for information. +references: +- https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644 +- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 +tags: + analytic_story: + - Active Directory Discovery + asset_type: Endpoint + confidence: 50 + impact: 50 + message: The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$. + mitre_attack_id: + - T1087 + - T1087.002 + observable: + - name: user + type: Username + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - ObjectName + - EventCode + - SubjectUserName + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog + update_timestamp: true \ No newline at end of file diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml new file mode 100644 index 0000000000..62d49b4f2a --- /dev/null +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -0,0 +1,85 @@ +name: Windows AD Privileged Object Access Activity +id: dc2f58bc-8cd2-4e51-962a-694b963acde0 +version: 1 +date: '2023-06-01' +author: Steven Dick +status: production +type: TTP +description: Windows Active Directory contains numerous objects that grant elevated access to the +domain they reside in. These objects should be rarely accessed by normal users or processes. Access +attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. +data_source: +- Windows Security Event ID 4662 +search: '`wineventlog_security` EventCode=4662 ObjectName IN ( +"CN=Account Operators,*", +"CN=Administrators,*", +"CN=Backup Operators,*", +"CN=Cert Publishers,*", +"CN=Certificate Service DCOM Access,*", +"CN=Domain Admins,*", +"CN=Domain Controllers,*", +"CN=Enterprise Admins,*", +"CN=Enterprise Read-only Domain Controllers,*", +"CN=Group Policy Creator Owners,*", +"CN=Incoming Forest Trust Builders,*", +"CN=Microsoft Exchange Servers,*", +"CN=Network Configuration Operators,*", +"CN=Power Users,*", +"CN=Print Operators,*", +"CN=Read-only Domain Controllers,*", +"CN=Replicators,*", +"CN=Schema Admins,*", +"CN=Server Operators,*", +"CN=Exchange Trusted Subsystem,*", +"CN=Exchange Windows Permission,*", +"CN=Organization Management,*") +| rex field=ObjectName "CN\=(?[^,]+)" +| stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| eval user = SubjectUserName, risk_score = case(object_count=1,40,object_count>1,object_count*30,true(),40) +| `windows_ad_privileged_object_access_filter`' +how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be aware +Splunk filters this event by default on the Windows TA. +known_false_positives: Service accounts or applications that routinely query Active Directory for information. +references: +- https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644 +- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 +tags: + analytic_story: + - Active Directory Discovery + asset_type: Endpoint + confidence: 50 + impact: 50 + message: The account $user$ accessed $object_count$ privileged AD object(s). + mitre_attack_id: + - T1087 + - T1087.002 + observable: + - name: user + type: Username + role: + - Victim + - name: object_name + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - ObjectName + - EventCode + - Caller_User_Name + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog + update_timestamp: true \ No newline at end of file From 0fee186fc30ab5a24a7004c23bcea4466482cdd0 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 18 Aug 2023 12:58:50 -0700 Subject: [PATCH 07/47] fixes --- .../windows_ad_abnormal_object_access_activity.yml | 11 ++++------- .../windows_ad_privileged_object_access_activity.yml | 11 ++++------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index ad520f4985..9e21698a6f 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -5,10 +5,9 @@ date: '2023-06-01' author: Steven Dick status: production type: TTP -description: Windows Active Directory contains numerous objects. A statistically significant increase in -access to these objects may be evidence of attacker enumeration of Active Directory. +description: Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory. data_source: -- Windows Security Event ID 4662 +- Windows Security 4662 search: '`wineventlog_security` EventCode=4662 | `windows_ad_abnormal_object_access_filter` | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName @@ -17,9 +16,7 @@ search: '`wineventlog_security` EventCode=4662 | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' -how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be aware -Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that -frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. +how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be awaren Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. known_false_positives: Service accounts or applications that routinely query Active Directory for information. references: - https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644 @@ -36,7 +33,7 @@ tags: - T1087.002 observable: - name: user - type: Username + type: User Name role: - Victim product: diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index 62d49b4f2a..a91d4c87ab 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -5,11 +5,9 @@ date: '2023-06-01' author: Steven Dick status: production type: TTP -description: Windows Active Directory contains numerous objects that grant elevated access to the -domain they reside in. These objects should be rarely accessed by normal users or processes. Access -attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. +description: Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. data_source: -- Windows Security Event ID 4662 +- Windows Security 4662 search: '`wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Operators,*", "CN=Administrators,*", @@ -39,8 +37,7 @@ search: '`wineventlog_security` EventCode=4662 ObjectName IN ( | `security_content_ctime(lastTime)` | eval user = SubjectUserName, risk_score = case(object_count=1,40,object_count>1,object_count*30,true(),40) | `windows_ad_privileged_object_access_filter`' -how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be aware -Splunk filters this event by default on the Windows TA. +how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be aware Splunk filters this event by default on the Windows TA. known_false_positives: Service accounts or applications that routinely query Active Directory for information. references: - https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644 @@ -57,7 +54,7 @@ tags: - T1087.002 observable: - name: user - type: Username + type: User Name role: - Victim - name: object_name From 093b299d8d9029d941dd640e73a5e2e7e8454b06 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 12:28:13 -0700 Subject: [PATCH 08/47] fixed obs stuff --- .../endpoint/creation_of_lsass_dump_with_taskmgr.yml | 6 +----- .../endpoint/detect_azurehound_command_line_arguments.yml | 2 +- .../endpoint/detect_azurehound_file_modifications.yml | 2 +- ...etect_copy_of_shadowcopy_with_script_block_logging.yml | 4 ++-- .../detect_credential_dumping_through_lsass_access.yml | 8 ++------ detections/endpoint/detect_exchange_web_shell.yml | 2 +- .../endpoint/detect_html_help_url_in_command_line.yml | 4 ++-- ...es_used_for_system_network_configuration_discovery.yml | 4 ++-- detections/endpoint/detect_rclone_command_line_usage.yml | 2 +- .../detect_regasm_with_no_command_line_arguments.yml | 2 +- .../detect_regsvcs_with_no_command_line_arguments.yml | 2 +- .../detect_regsvr32_application_control_bypass.yml | 2 +- ...tect_rundll32_application_control_bypass___advpack.yml | 2 +- ...ect_rundll32_application_control_bypass___setupapi.yml | 2 +- ...ect_rundll32_application_control_bypass___syssetup.yml | 2 +- .../endpoint/detect_sharphound_file_modifications.yml | 4 ++-- .../detect_wmi_event_subscription_persistence.yml | 2 +- detections/endpoint/disable_amsi_through_registry.yml | 4 ++-- .../endpoint/disable_defender_antivirus_registry.yml | 4 ++-- .../disable_defender_blockatfirstseen_feature.yml | 2 +- .../endpoint/disable_defender_mpengine_registry.yml | 4 ++-- detections/endpoint/disable_defender_spynet_reporting.yml | 2 +- .../disable_defender_submit_samples_consent_feature.yml | 4 ++-- detections/endpoint/disable_registry_tool.yml | 2 +- .../disable_security_logs_using_minint_registry.yml | 4 ++-- detections/endpoint/disable_show_hidden_files.yml | 2 +- detections/endpoint/disable_uac_remote_restriction.yml | 4 ++-- 27 files changed, 38 insertions(+), 46 deletions(-) diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml index 6210db1fbd..528d4c9825 100644 --- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml +++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml @@ -35,16 +35,12 @@ tags: asset_type: Windows confidence: 100 impact: 80 - message: $process_name$ was identified on endpoint $Computer$ writing $TargetFilename$ + message: $process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager. mitre_attack_id: - T1003.001 - T1003 observable: - - name: user - type: User - role: - - Victim - name: dest type: Hostname role: diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index 5211fd79f3..bcb8bcfec8 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*invoke-azurehound*") - by Processes.dest Processes.user Processes.parent_process Processes.process_name + by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`' how_to_implement: To successfully implement this search you need to be ingesting information diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml index 2f2eae0773..9ab3dc499b 100644 --- a/detections/endpoint/detect_azurehound_file_modifications.yml +++ b/detections/endpoint/detect_azurehound_file_modifications.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*-azurecollection.zip", "*-azprivroleadminrights.json", "*-azglobaladminrights.json", "*-azcloudappadmins.json", "*-azapplicationadmins.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name - Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible diff --git a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml index fc6da6af16..1b7d878fd1 100644 --- a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml +++ b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml @@ -43,12 +43,12 @@ tags: - CVE-2021-36934 impact: 80 message: PowerShell was identified running a script to capture the SAM hive on endpoint - $ComputerName$ by user $user$. + $ComputerName$ by user $User$. mitre_attack_id: - T1003.002 - T1003 observable: - - name: user + - name: User type: User role: - Victim diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index 087481964b..ffcf2e0b12 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -33,17 +33,13 @@ tags: confidence: 100 impact: 80 message: The $source_image$ has attempted access to read $TargetImage$ was identified - on endpoint $Computer$, this is indicative of credential dumping and should be + on endpoint $dest$, this is indicative of credential dumping and should be investigated. mitre_attack_id: - T1003.001 - T1003 observable: - - name: source_image - type: Other - role: - - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index 9d28f395e7..c812ba227d 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -33,7 +33,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name - IN( "*.aspx", "*.ashx") by _time span=1h Filesystem.dest Filesystem.file_create_time + IN( "*.aspx", "*.ashx") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index c6a5efecb7..21928e03cb 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -21,7 +21,7 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process Processes.original_file_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_name Processes.process Processes.parent_process_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`' how_to_implement: To successfully implement this search you need to be ingesting information @@ -45,7 +45,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: An instance of $parent_proces_name$ spawning $process_name$ was identified + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload. mitre_attack_id: diff --git a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml index 09350bf9c2..da0ec7a09f 100644 --- a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml +++ b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml @@ -12,11 +12,11 @@ data_source: search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user - IN ("","unknown") by Processes.dest Processes.process_name Processes.user _time + IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name - process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`' + process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`' how_to_implement: You must be ingesting data that records registry activity from your hosts to populate the Endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index 026f7e1413..b013d38047 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by - Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`' how_to_implement: To successfully implement this search you need to be ingesting information diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index bb713095e1..6c4d363187 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name - Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regasm\.exe.{0,4}$)" | `detect_regasm_with_no_command_line_arguments_filter`' how_to_implement: To successfully implement this search you need to be ingesting information diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index 19e5f57e14..661356ab72 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name - Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regsvcs\.exe.{0,4}$)"| `detect_regsvcs_with_no_command_line_arguments_filter`' how_to_implement: To successfully implement this search you need to be ingesting information diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index 471969d537..42ce761de0 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -19,7 +19,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* - by Processes.dest Processes.user Processes.parent_process Processes.process_name + by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`' diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index bf91213573..25d3961685 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -53,7 +53,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index 03173dcee0..f6c1be3d1f 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -51,7 +51,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index e5cb9ec0b1..f07dfbae61 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -53,7 +53,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml index c2d3809c4f..e00307a30a 100644 --- a/detections/endpoint/detect_sharphound_file_modifications.yml +++ b/detections/endpoint/detect_sharphound_file_modifications.yml @@ -25,7 +25,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*bloodhound.zip", "*_computers.json", "*_gpos.json", "*_domains.json", "*_users.json", "*_groups.json", "*_ous.json", "*_containers.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name - Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible @@ -60,7 +60,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml index f0e4eb89f0..be4bbf3640 100644 --- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml +++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml @@ -28,7 +28,7 @@ description: 'The following analytic identifies the use of WMI Event Subscriptio data_source: - Sysmon Event ID 20 search: '`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime - by Computer User Destination | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index c1a1e0e001..589df22afc 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -11,7 +11,7 @@ description: this search is to identify modification in registry to disable AMSI payload with minimal alert as much as possible. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable" Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable" Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` @@ -33,7 +33,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Disable AMSI Through Registry + message: Disable AMSI Through Registry on $dest$ mitre_attack_id: - T1562.001 - T1562 diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index 261fd5cd6b..4194fd8112 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -12,7 +12,7 @@ description: This particular behavior is typically executed when an adversary or any further file modifications. Endpoint should be isolated. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` @@ -32,7 +32,7 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: modified/added/deleted registry entry $registry_path$ in $dest$ + message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 11fa687a58..6c9467deab 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -11,7 +11,7 @@ description: This analytic is intended to detect a suspicious modification of th a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index 7e74e914c8..7f2912a8bc 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -12,7 +12,7 @@ description: This particular behavior is typically executed when an adversary or any further file modifications. Endpoint should be isolated. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` @@ -32,7 +32,7 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: modified/added/deleted registry entry $registry_path$ in $dest$ + message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index da76151b74..76fbd19618 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -15,7 +15,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index f054852b01..151469f8b7 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -14,7 +14,7 @@ data_source: search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -32,7 +32,7 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: modified/added/deleted registry entry $Registry.registry_path$ in $dest$ + message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 98934e509c..92db5125fe 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`' diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index e083f54d2a..7e61a9541c 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -12,7 +12,7 @@ description: This analytic is to detect a suspicious registry modification to di data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY _time span=1h Registry.registry_path + WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`' @@ -30,7 +30,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: modified/added/deleted registry entry $Registry.registry_path$ in $dest$ + message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1112 observable: diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index d9e1532ef8..6cf8eeb37d 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -15,7 +15,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" - Registry.registry_value_data = "0x00000000")) BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000000")) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`' diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index d728d2f541..b9db569e3c 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentVersion\\Policies\\System*" Registry.registry_value_name="LocalAccountTokenFilterPolicy" - Registry.registry_value_data="0x00000001" ) BY _time span=1h Registry.registry_path + Registry.registry_value_data="0x00000001" ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`' @@ -33,7 +33,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: modified/added/deleted registry entry $Registry.registry_path$ in $dest$ + message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1548.002 - T1548 From 775d38c96f722181ec5305a420ce7f2444bf7d79 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 13:13:21 -0700 Subject: [PATCH 09/47] fix another 30 yamls --- .../endpoint/disable_windows_app_hotkeys.yml | 2 +- .../disable_windows_behavior_monitoring.yml | 2 +- .../disable_windows_smartscreen_protection.yml | 2 +- ...re_authentication_discovery_with_get_aduser.yml | 2 +- ...pre_authentication_discovery_with_powerview.yml | 2 +- detections/endpoint/disabling_cmd_application.yml | 4 ++-- detections/endpoint/disabling_controlpanel.yml | 2 +- .../endpoint/disabling_defender_services.yml | 2 +- .../disabling_folderoptions_windows_feature.yml | 2 +- .../endpoint/disabling_norun_windows_app.yml | 2 +- .../disabling_systemrestore_in_registry.yml | 2 +- detections/endpoint/disabling_task_manager.yml | 2 +- .../dns_exfiltration_using_nslookup_app.yml | 2 +- .../domain_group_discovery_with_adsisearcher.yml | 2 +- .../endpoint/download_files_using_telegram.yml | 9 ++------- detections/endpoint/dsquery_domain_discovery.yml | 2 +- detections/endpoint/dump_lsass_via_comsvcs_dll.yml | 2 +- detections/endpoint/dump_lsass_via_procdump.yml | 2 +- .../endpoint/enable_rdp_in_other_port_number.yml | 2 +- .../enable_wdigest_uselogoncredential_registry.yml | 2 +- detections/endpoint/etw_registry_disabled.yml | 4 ++-- .../endpoint/exchange_powershell_module_usage.yml | 2 +- ...et_domaintrust_with_powershell_script_block.yml | 14 +++++--------- ...et_foresttrust_with_powershell_script_block.yml | 10 +++++----- ...bject_ds_group_with_powershell_script_block.yml | 6 +++--- ...with_no_command_line_arguments_with_network.yml | 10 +++++----- .../hide_user_account_from_sign_in_screen.yml | 2 +- detections/endpoint/java_writing_jsp_file.yml | 6 +----- ...ication_flag_disabled_in_useraccountcontrol.yml | 8 ++++---- ...uthentication_flag_disabled_with_powershell.yml | 6 +++++- 30 files changed, 54 insertions(+), 63 deletions(-) diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index 87b8a20115..c16e65103a 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -15,7 +15,7 @@ data_source: search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" AND Registry.registry_value_data= "HotKey Disabled" AND Registry.registry_value_name - = "Debugger") BY _time span=1h Registry.registry_path Registry.registry_key_name + = "Debugger") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`' diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 99043e7359..b4c24fb127 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint Protection\\DisableRealtimeMonitoring" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIOAVProtection" OR Registry.registry_path= "*\\Real-Time Protection\\DisableScriptScanning" - AND Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + AND Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`' diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index 0b78c8fe18..e0ae698a6f 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled" Registry.registry_value_data= - "Off") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + "Off") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml index 9112196b16..7331dbec49 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml @@ -17,7 +17,7 @@ data_source: - Powershell 4104 search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer - UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`' + UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml index 871132a1e8..57ed9eda0e 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -17,7 +17,7 @@ data_source: - Powershell 4104 search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer - UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`' + UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index c062655432..817240a760 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -5,7 +5,7 @@ date: '2023-04-27' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: this search is to identify modification in registry to disable cmd prompt +description: This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. @@ -13,7 +13,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`' diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 86499c478f..31905c4abd 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -12,7 +12,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`' diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index a0b497f6f6..a557f53a35 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -16,7 +16,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" AND (Registry.registry_path IN("*WdBoot*", "*WdFilter*", "*WdNisDrv*", "*WdNisSvc*","*WinDefend*", "*SecurityHealthService*")) AND Registry.registry_value_name = Start Registry.registry_value_data - = 0x00000004) BY _time span=1h Registry.registry_path Registry.registry_key_name + = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`' diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index f01f61d0c3..2e6a5630a0 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`' diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index 8309f26d9a..1b7e6cb066 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`' diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index c09ba33994..82c83ff3ff 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -16,7 +16,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`' diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index 81ceda93eb..f1fca5a4c6 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -13,7 +13,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`' diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index 2064dbeebc..13ba95172c 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "nslookup.exe" Processes.process = "*-querytype=*" OR Processes.process="*-qt=*" OR Processes.process="*-q=*" OR Processes.process="-type=*" - OR Processes.process="*-retry=*" by Processes.dest Processes.user Processes.process_name | + OR Processes.process="*-retry=*" by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml index 61e97e267f..ab1d38fed4 100644 --- a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml +++ b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml @@ -13,7 +13,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 (Message = "*[adsisearcher]*" AND Message = "*(objectcategory=group)*" AND Message = "*findAll()*") | stats count min(_time) as firstTime max(_time) as - lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` + lastTime by EventCode Message ComputerName User | rename ComputerName as dest |rename User as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index 800cece212..88ccd207af 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 15 search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" |stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode - Image process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Image process_id TargetFilename Hash | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that @@ -32,15 +32,10 @@ tags: confidence: 70 impact: 70 message: Suspicious files were downloaded with the Telegram application on $dest$ - by $user$. mitre_attack_id: - T1105 observable: - - name: user - type: User - role: - - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index 8166c5018d..22e6cbccaf 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -30,7 +30,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe - Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process + Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`' diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index 385ac36c5b..ae3acd7141 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -10,7 +10,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* - Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.original_file_name + Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`' how_to_implement: To successfully implement this search you need to be ingesting information diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index 45cf26107c..951255d1c3 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -19,7 +19,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* - OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.process_name + OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`' how_to_implement: To successfully implement this search you need to be ingesting information diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index aabfe80855..5fbc55c1b8 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -14,7 +14,7 @@ data_source: search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY _time - span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index 4e3ebec80d..2952cf509d 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\*" - Registry.registry_value_name = "UseLogonCredential" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name + Registry.registry_value_name = "UseLogonCredential" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`' diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index f7e1e25e30..21f5022aa9 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -12,7 +12,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_name - = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.registry_path + = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`' @@ -33,7 +33,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: modified/added/deleted registry entry $Registry.registry_path$ in $dest$ + message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.006 - T1127 diff --git a/detections/endpoint/exchange_powershell_module_usage.yml b/detections/endpoint/exchange_powershell_module_usage.yml index b8a8500652..ceb823c650 100644 --- a/detections/endpoint/exchange_powershell_module_usage.yml +++ b/detections/endpoint/exchange_powershell_module_usage.yml @@ -32,7 +32,7 @@ data_source: search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "Search-Mailbox") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer - UserID EventCode ScriptBlockText| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here diff --git a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml index 4fc2834d5e..c65a7ddd13 100644 --- a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml @@ -21,7 +21,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-domaintrust*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode - ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -40,23 +40,19 @@ tags: asset_type: Endpoint confidence: 40 impact: 30 - message: Suspicious PowerShell Get-DomainTrust was identified on endpoint $Computer$ - by user $UserID$. + message: Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ + by user $user$. mitre_attack_id: - T1482 observable: - - name: UserID + - name: user type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim - - name: parent_process_name - type: Process - role: - - Parent Process product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml index f62b2a095b..e0723de09a 100644 --- a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml @@ -21,7 +21,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-foresttrust*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -36,17 +36,17 @@ tags: asset_type: Endpoint confidence: 40 impact: 30 - message: Suspicious PowerShell Get-ForestTrust was identified on endpoint $Computer$ - by user $UserID$. + message: Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ + by user $user$. mitre_attack_id: - T1482 - T1059.001 observable: - - name: UserID + - name: user type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml index d7b603f36d..cb2fd1d829 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml @@ -14,8 +14,8 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*") | stats count min(_time) - as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText - | `security_content_ctime(firstTime)` | `getwmiobject_ds_group_with_powershell_script_block_filter`' + as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` `getwmiobject_ds_group_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -30,7 +30,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: Domain group discovery enumeration using PowerShell on $Computer$ by $UserID$ + message: Domain group discovery enumeration using PowerShell on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index ea56bc7f6d..2520bcd146 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -16,12 +16,12 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id - Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` - | rename dest as C2 ] | table _time dest parent_process_name process_name process_path + | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -40,7 +40,7 @@ tags: confidence: 90 impact: 90 message: Process gpupdate.exe with parent_process $parent_process_name$ is executed - on $dest$ by user $user$, followed by an outbound network connection to $connection_to_CNC$ + on $dest$ by user $user$, followed by an outbound network connection to $C2$ on port $dest_port$. This behaviour is seen with cobaltstrike. mitre_attack_id: - T1055 @@ -58,10 +58,10 @@ tags: role: - Parent Process - Attacker - - name: connection_to_CNC + - name: C2 type: IP Address role: - - Other + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index 5df47acda1..369054df6a 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" - AND Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path + AND Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`' diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml index 578422eaab..0d2a3146bc 100644 --- a/detections/endpoint/java_writing_jsp_file.yml +++ b/detections/endpoint/java_writing_jsp_file.yml @@ -43,7 +43,7 @@ tags: - CVE-2022-22965 impact: 60 message: An instance of $process_name$ was identified on endpoint $dest$ writing - a jsp file to disk, potentially indicative of exploitation. + a jsp file $file_name$ to disk, potentially indicative of exploitation. mitre_attack_id: - T1190 - T1133 @@ -52,10 +52,6 @@ tags: type: Hostname role: - Victim - - name: parent_process_name - type: Process - role: - - Parent Process - name: process_name type: Process role: diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index 92f4be0267..6f214875a8 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -15,7 +15,7 @@ description: The following analytic leverages Windows Security Event 4738, `A us data_source: - Windows Security 4738 search: ' `wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don''t Require - Preauth'' - Enabled*" | table EventCode, Account_Name, Security_ID, MSADChangedAttributes + Preauth'' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account @@ -31,13 +31,13 @@ tags: asset_type: endpoint confidence: 90 impact: 50 - message: Kerberos Pre Authentication was Disabled for $Account_Name$ + message: Kerberos Pre Authentication was Disabled for $user$ mitre_attack_id: - T1558 - T1558.004 observable: - - name: dest - type: Endpoint + - name: user + type: User Name role: - Victim product: diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml index 8279eba99d..fb8c3ea1e1 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml @@ -19,7 +19,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*Set-ADAccountControl*" AND ScriptBlockText="*DoesNotRequirePreAuth:$true*") | stats count min(_time) as firstTime - max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` + max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -51,6 +51,10 @@ tags: - Splunk Cloud required_fields: - _time + - EventCode + - ScriptBlockText + - Computer + - user_id risk_score: 45 security_domain: endpoint tests: From ba4a0d8919c73e837734abd18c3e21bf4a95b032 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 13:50:31 -0700 Subject: [PATCH 10/47] updates to yamls --- .../linux_pkexec_privilege_escalation.yml | 2 +- detections/endpoint/living_off_the_land.yml | 4 ++-- .../endpoint/mailsniper_invoke_functions.yml | 6 +++--- ...licious_powershell_executed_as_a_service.yml | 2 +- .../endpoint/modification_of_wallpaper.yml | 2 +- ...monitor_registry_keys_for_print_monitors.yml | 2 +- ...ms_scripting_process_loading_ldap_module.yml | 2 +- .../ms_scripting_process_loading_wmi_module.yml | 2 +- ...ild_suspicious_spawned_by_script_process.yml | 2 +- .../office_document_creating_schedule_task.yml | 2 +- .../office_document_executing_macro_code.yml | 2 +- .../endpoint/powershell_domain_enumeration.yml | 8 ++++---- ...powershell_using_memory_as_backing_store.yml | 8 ++++---- .../endpoint/ransomware_notes_bulk_creation.yml | 10 +++------- .../recon_avproduct_through_pwh_or_wmi.yml | 8 ++++---- ...egistry_keys_for_creating_shim_databases.yml | 2 +- ...istry_keys_used_for_privilege_escalation.yml | 2 +- .../endpoint/rundll32_lockworkstation.yml | 4 ++-- .../endpoint/rundll32_shimcache_flush.yml | 2 +- ...principalnames_discovery_with_powershell.yml | 17 ++++------------- .../endpoint/short_lived_scheduled_task.yml | 6 +++--- .../spoolsv_suspicious_loaded_modules.yml | 17 ++++------------- .../endpoint/sqlite_module_in_temp_folder.yml | 8 ++++---- 23 files changed, 49 insertions(+), 71 deletions(-) diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml index 49c8e1c81e..493e1bc36c 100644 --- a/detections/endpoint/linux_pkexec_privilege_escalation.yml +++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml @@ -12,7 +12,7 @@ description: The following analytic identifies `pkexec` spawning with no command data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - where Processes.process_name=pkexec by _time Processes.dest Processes.process_id + where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(^.{1}$)" | `linux_pkexec_privilege_escalation_filter`' diff --git a/detections/endpoint/living_off_the_land.yml b/detections/endpoint/living_off_the_land.yml index 8a69f0ffd0..cc2429ec7b 100644 --- a/detections/endpoint/living_off_the_land.yml +++ b/detections/endpoint/living_off_the_land.yml @@ -39,14 +39,14 @@ tags: asset_type: Endpoint confidence: 70 impact: 90 - message: An increase of Living Off The Land behavior has been detected on $affected_systems$ + message: An increase of Living Off The Land behavior has been detected on $risk_object$ mitre_attack_id: - T1105 - T1190 - T1059 - T1133 observable: - - name: affected_systems + - name: risk_object type: Hostname role: - Victim diff --git a/detections/endpoint/mailsniper_invoke_functions.yml b/detections/endpoint/mailsniper_invoke_functions.yml index 6e6bfe13b0..dafa3b182a 100644 --- a/detections/endpoint/mailsniper_invoke_functions.yml +++ b/detections/endpoint/mailsniper_invoke_functions.yml @@ -15,7 +15,7 @@ search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Invoke-GlobalO365Mail "*Invoke-PasswordSprayEWS*","*Invoke-DomainHarvestOWA*", "*Invoke-UsernameHarvestOWA*","*Invoke-OpenInboxFinder*","*Invoke-InjectGEventAPI*","*Invoke-InjectGEvent*","*Invoke-SearchGmail*", "*Invoke-MonitorCredSniper*", "*Invoke-AddGmailRule*","*Invoke-PasswordSprayEAS*","*Invoke-UsernameHarvestEAS*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer - UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed @@ -29,13 +29,13 @@ tags: asset_type: Endpoint confidence: 80 impact: 90 - message: mailsniper.ps1 functions $ScriptBlockText$ executed on a $Computer$ by + message: mailsniper.ps1 functions $ScriptBlockText$ executed on a $dest$ by user $user$. mitre_attack_id: - T1114 - T1114.001 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/malicious_powershell_executed_as_a_service.yml b/detections/endpoint/malicious_powershell_executed_as_a_service.yml index f0a0d36db8..7175dccc25 100644 --- a/detections/endpoint/malicious_powershell_executed_as_a_service.yml +++ b/detections/endpoint/malicious_powershell_executed_as_a_service.yml @@ -13,7 +13,7 @@ search: ' `wineventlog_system` EventCode=7045 | eval l_Service_File_Name=lower(S | regex l_Service_File_Name="powershell[.\s]|powershell_ise[.\s]|pwsh[.\s]|psexec[.\s]" | regex l_Service_File_Name="-nop[rofile\s]+|-w[indowstyle]*\s+hid[den]*|-noe[xit\s]+|-enc[odedcommand\s]+" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name - Service_Name Service_Start_Type Service_Type Service_Account user | `security_content_ctime(firstTime)` + Service_Name Service_Start_Type Service_Type Service_Account user dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml index 424ad85899..08a4df62e2 100644 --- a/detections/endpoint/modification_of_wallpaper.yml +++ b/detections/endpoint/modification_of_wallpaper.yml @@ -15,7 +15,7 @@ search: '`sysmon` EventCode =13 (TargetObject= "*\\Control Panel\\Desktop\\Wall AND Image != "*\\explorer.exe") OR (TargetObject= "*\\Control Panel\\Desktop\\Wallpaper" AND Details = "*\\temp\\*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id - user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index 9be7147ba6..024da22857 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*") - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index 1f276f2db6..e54c641eff 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -17,7 +17,7 @@ data_source: search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\Wldap32.dll", "*\\adsldp.dll", "*\\adsldpc.dll") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid - Computer ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index fe6d3352c4..512917c0eb 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -18,7 +18,7 @@ search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") Ima IN ("*\\fastprox.dll", "*\\wbemdisp.dll", "*\\wbemprox.dll", "*\\wbemsvc.dll" , "*\\wmiutils.dll", "*\\wbemcomn.dll") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer - ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml index 6218e7cbcf..e7c880b314 100644 --- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml +++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml @@ -45,7 +45,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/office_document_creating_schedule_task.yml b/detections/endpoint/office_document_creating_schedule_task.yml index f8386330f4..5ee8c40f84 100644 --- a/detections/endpoint/office_document_creating_schedule_task.yml +++ b/detections/endpoint/office_document_creating_schedule_task.yml @@ -24,7 +24,7 @@ search: '`sysmon` EventCode=7 parent_process_name IN ("WINWORD.EXE", "EXCEL.EXE" "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe") ImageLoaded = "*\\taskschd.dll" | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode - Image parent_process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` + Image parent_process_name ProcessId ProcessGuid | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml index 0cf90b3f2d..1af79666b3 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/office_document_executing_macro_code.yml @@ -18,7 +18,7 @@ search: '`sysmon` EventCode=7 parent_process_name IN ("WINWORD.EXE", "EXCEL.EXE" "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") ImageLoaded IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count - by Computer EventCode Image process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` + by Computer EventCode Image process_name ProcessId ProcessGuid | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. diff --git a/detections/endpoint/powershell_domain_enumeration.yml b/detections/endpoint/powershell_domain_enumeration.yml index 9c40d3d817..7e600d9137 100644 --- a/detections/endpoint/powershell_domain_enumeration.yml +++ b/detections/endpoint/powershell_domain_enumeration.yml @@ -21,7 +21,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) - as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` + as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -42,16 +42,16 @@ tags: confidence: 70 impact: 60 message: A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ - with EventCode $EventCode$ in host $Computer$ + with EventCode $EventCode$ in host $dest$ mitre_attack_id: - T1059 - T1059.001 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: UserID + - name: user type: User role: - Victim diff --git a/detections/endpoint/powershell_using_memory_as_backing_store.yml b/detections/endpoint/powershell_using_memory_as_backing_store.yml index dc79d49367..6fe489490e 100644 --- a/detections/endpoint/powershell_using_memory_as_backing_store.yml +++ b/detections/endpoint/powershell_using_memory_as_backing_store.yml @@ -14,7 +14,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime - by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` + by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -38,16 +38,16 @@ tags: confidence: 80 impact: 50 message: A PowerShell script contains memorystream command in $ScriptBlockText$ - as new object backstore with EventCode $EventCode$ on host $Computer$. + as new object backstore with EventCode $EventCode$ on host $dest$. mitre_attack_id: - T1059.001 - T1059 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: UserID + - name: user type: User role: - Victim diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index a35453c811..d55742e283 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -15,7 +15,7 @@ data_source: search: '`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer - Image file_name | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` + Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`' how_to_implement: You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are @@ -36,18 +36,14 @@ tags: confidence: 90 impact: 90 message: A high frequency file creation of $file_name$ in different file path in - host $Computer$ + host $dest$ mitre_attack_id: - T1486 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index 2af51f76ca..4862669024 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -16,7 +16,7 @@ data_source: search: '`powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText = "*WMIC*") AND (ScriptBlockText = "*AntiVirusProduct*" OR ScriptBlockText = "*AntiSpywareProduct*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -42,15 +42,15 @@ tags: confidence: 80 impact: 70 message: A suspicious powershell script contains AV recon command in $ScriptBlockText$ - with EventCode $EventCode$ in host $Computer$ + with EventCode $EventCode$ in host $dest$ mitre_attack_id: - T1592 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index 365a042cf3..047bff5dc4 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -11,7 +11,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*) - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index b93685b9fe..2a1b27f2ab 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -14,7 +14,7 @@ data_source: search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index 128167f802..c7e88a18bd 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -30,7 +30,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: process $process_name$ with cmdline $process$ in host $dest$ + message: Process $process_name$ with cmdline $process$ in host $dest$ mitre_attack_id: - T1218 - T1218.011 @@ -39,7 +39,7 @@ tags: type: Hostname role: - Victim - - name: SourceImage + - name: process_name type: Process Name role: - Attacker diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml index 444c418c33..920dd4409c 100644 --- a/detections/endpoint/rundll32_shimcache_flush.yml +++ b/detections/endpoint/rundll32_shimcache_flush.yml @@ -41,7 +41,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml index ad635c21df..ac2e631278 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml @@ -26,7 +26,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText="*KerberosRequestorSecurityToken*" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText - Opcode Computer UserID EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -56,28 +56,19 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $Computer$ by user $UserID$ attempting to identify service principle + message: An instance of attempting to identify service principle detected on $dest$ names. mitre_attack_id: - T1558.003 observable: - - name: UserID + - name: user type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim - - name: parent_process_name - type: Process - role: - - Parent Process - - name: process_name - type: Process - role: - - Child Process product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index 312e026365..ae652ddf21 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -16,8 +16,8 @@ data_source: - Windows Security 4698 search: ' `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | - eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | table - _time, ComputerName, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter` ' + eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | rename ComputerName as dest| table + _time, dest, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter` ' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. @@ -34,7 +34,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 90 - message: A windows scheduled task was created and deleted in 30 seconds on $ComputerName$ + message: A windows scheduled task was created and deleted in 30 seconds on $dest$ mitre_attack_id: - T1053.005 observable: diff --git a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml index 1d85834aed..9845b79633 100644 --- a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml +++ b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml @@ -13,7 +13,7 @@ data_source: search: '`sysmon` EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*" ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer - ProcessId EventCode | where countImgloaded >= 3 | `security_content_ctime(firstTime)` + ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you @@ -29,25 +29,16 @@ tags: cve: - CVE-2021-34527 impact: 80 - message: $Image$ with process id $process_id$ has loaded a driver from $ImageLoaded$ - on endpoint $Computer$. This behavior is suspicious and related to PrintNightmare. + message: $Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ + on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. mitre_attack_id: - T1547.012 - T1547 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim - - name: process_id - type: Process Name - role: - - Parent Process - - Attacker - - name: ImageLoaded - type: File - role: - - Other product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index c611f7c900..2457658008 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -13,8 +13,8 @@ data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFilename = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") |stats count min(_time) as - firstTime max(_time) as lastTime by process_name TargetFilename EventCode ProcessId - Image | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + firstTime max(_time) as lastTime by SourceImage process_name Computer TargetFilename EventCode ProcessId + Image | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -29,11 +29,11 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: process $SourceImage$ create a file $TargetImage$ in host $Computer$ + message: process $SourceImage$ create a file $TargetFilename$ in host $dest$ mitre_attack_id: - T1005 observable: - - name: Computer + - name: dest type: Hostname role: - Victim From 0bc37ed468802d1453e9fc8ea1e3aabd32ad59f6 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 14:19:56 -0700 Subject: [PATCH 11/47] updating ysmls for risk --- .../endpoint/suspicious_copy_on_system32.yml | 4 ++-- ...ious_dllhost_no_command_line_arguments.yml | 4 ++-- .../suspicious_event_log_service_behavior.yml | 7 +++---- ...ous_gpupdate_no_command_line_arguments.yml | 4 ++-- ...cious_image_creation_in_appdata_folder.yml | 4 ++-- ...icious_kerberos_service_ticket_request.yml | 8 +++---- ...ious_microsoft_workflow_compiler_usage.yml | 2 +- .../endpoint/suspicious_msbuild_path.yml | 2 +- .../endpoint/suspicious_msbuild_spawn.yml | 2 +- ...ious_regsvr32_register_suspicious_path.yml | 2 +- .../suspicious_rundll32_dllregisterserver.yml | 2 +- ...ous_rundll32_no_command_line_arguments.yml | 4 ++-- .../endpoint/suspicious_rundll32_startw.yml | 4 ++-- ...s_scheduled_task_from_public_directory.yml | 4 ++-- ...protocolhost_no_command_line_arguments.yml | 4 ++-- .../suspicious_wav_file_in_appdata_folder.yml | 2 +- .../endpoint/suspicious_wevtutil_usage.yml | 2 +- ...system_information_discovery_detection.yml | 4 ++-- .../time_provider_persistence_registry.yml | 4 ++-- .../uac_bypass_with_colorui_com_object.yml | 4 ++-- ...wn_process_using_the_kerberos_protocol.yml | 10 +++------ ...uthentication_certificates___esc1_auth.yml | 21 ++++++++----------- 22 files changed, 48 insertions(+), 56 deletions(-) diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index e2b5685182..ca05acb70a 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -44,7 +44,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 70 - message: execution of copy exe to copy file from $process$ in $dest$ + message: Execution of copy exe to copy file from $process$ in $dest$ mitre_attack_id: - T1036.003 - T1036 @@ -53,7 +53,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml index ec10fa68a3..8e2ddc5f2e 100644 --- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name - Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" | `suspicious_dllhost_no_command_line_arguments_filter`' how_to_implement: To successfully implement this search you need to be ingesting information @@ -45,7 +45,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_event_log_service_behavior.yml b/detections/endpoint/suspicious_event_log_service_behavior.yml index f529914316..e6debc35f6 100644 --- a/detections/endpoint/suspicious_event_log_service_behavior.yml +++ b/detections/endpoint/suspicious_event_log_service_behavior.yml @@ -15,8 +15,7 @@ description: The following analytic utilizes Windows Event ID 1100 to identify w data_source: - Sysmon Event ID 1 search: (`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime - max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` + max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` how_to_implement: To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. known_false_positives: It is possible the Event Logging service gets shut down due @@ -34,12 +33,12 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: The Windows Event Log Service shutdown on $ComputerName$ + message: The Windows Event Log Service shutdown on $dest$ mitre_attack_id: - T1070 - T1070.001 observable: - - name: ComputerName + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml index 29a48aa774..4738799e56 100644 --- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name - Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)" | `suspicious_gpupdate_no_command_line_arguments_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -44,7 +44,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml index 71ccd0031f..b4bb38d0d7 100644 --- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml @@ -38,11 +38,11 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: process $process_name$ creating image file $file_path$ in $dest$ + message: Process $process_name$ creating image file $file_path$ in $dest$ mitre_attack_id: - T1113 observable: - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml index 601d78cd6d..3417d6487d 100644 --- a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml +++ b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml @@ -17,8 +17,8 @@ description: As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain data_source: - Windows Security 4769 search: ' `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(Service_Name) - = lower(mvindex(split(Account_Name,"@"),0)+"$"),1,0) | where isSuspicious = 1 | - table _time, Client_Address, Account_Name, Service_Name, Failure_Code, isSuspicious + = lower(mvindex(split(Account_Name,"@"),0)+"$"),1,0) | where isSuspicious = 1 | rename ComputerName as dest| rename Account_Name as user | + table _time, dest, Client_Address, Account_Name, Service_Name, Failure_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting @@ -42,12 +42,12 @@ tags: - CVE-2021-42287 - CVE-2021-42278 impact: 100 - message: A suspicious Kerberos Service Ticket was requested by $Account_Name$ + message: A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$ mitre_attack_id: - T1078 - T1078.002 observable: - - name: ComputerName + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml index 1abdf8ecf7..7c8d8ef0a9 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml @@ -41,7 +41,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml index b077b803e7..a9e624f9ee 100644 --- a/detections/endpoint/suspicious_msbuild_path.yml +++ b/detections/endpoint/suspicious_msbuild_path.yml @@ -52,7 +52,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml index 373a1cd15f..cfec80df30 100644 --- a/detections/endpoint/suspicious_msbuild_spawn.yml +++ b/detections/endpoint/suspicious_msbuild_spawn.yml @@ -46,7 +46,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 77296cf780..360a61303b 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -13,7 +13,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process IN ("*.dll*", "*.ax*", "*.ocx*")) - by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`' how_to_implement: You must be ingesting endpoint data that tracks process activity, diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index 1d8c98c32f..3cd156d2da 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -16,7 +16,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* - by Processes.dest Processes.user Processes.parent_process Processes.original_file_name + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`' diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index e672e78c55..7bf721cddb 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name - Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(rundll32\.exe.{0,4}$)" | `suspicious_rundll32_no_command_line_arguments_filter`' how_to_implement: To successfully implement this search you need to be ingesting information @@ -52,7 +52,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index e1691ee157..6c89d07b94 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -45,7 +45,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 70 - message: rundll32.exe running with suspicious parameters on $dest$ + message: rundll32.exe running with suspicious StartW parameters on $dest$ mitre_attack_id: - T1218 - T1218.011 @@ -54,7 +54,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 9c6c84890d..a9aa2fdc8e 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -35,7 +35,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 70 - message: Suspicious scheduled task registered on $dest$ + message: Suspicious scheduled task registered on $dest$ from Public Directory mitre_attack_id: - T1053.005 - T1053 @@ -44,7 +44,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index d1ed4de967..91ae5c584d 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -16,7 +16,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id - Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`' how_to_implement: To successfully implement this search you need to be ingesting information @@ -45,7 +45,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml index 11ec1301dd..1e7be049f0 100644 --- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml @@ -42,7 +42,7 @@ tags: mitre_attack_id: - T1113 observable: - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml index 6fc603e530..a08b894ea9 100644 --- a/detections/endpoint/suspicious_wevtutil_usage.yml +++ b/detections/endpoint/suspicious_wevtutil_usage.yml @@ -43,7 +43,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 3e65a806ac..1f4862157b 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -29,7 +29,7 @@ tags: asset_type: Windows confidence: 50 impact: 30 - message: Potential system information discovery behavior on $dest$ by $User$ + message: Potential system information discovery behavior on $dest$ by $user$ mitre_attack_id: - T1082 observable: @@ -37,7 +37,7 @@ tags: type: Endpoint role: - Victim - - name: User + - name: user type: User role: - Attacker diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 853c30860a..dba8ed1d42 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentControlSet\\Services\\W32Time\\TimeProviders*") - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -35,7 +35,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: modified/added/deleted registry entry $Registry.registry_path$ in $dest$ + message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1547.003 - T1547 diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index 2878d34994..e5392983e3 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -13,7 +13,7 @@ data_source: search: '`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode - Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Signed ProcessId user | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -39,7 +39,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index c2e3517095..29dd976bd9 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -34,16 +34,12 @@ tags: asset_type: Endpoint confidence: 60 impact: 60 - message: '' + message: Unknown process $process_name$ using the kerberos protocol detected on host $dest$ mitre_attack_id: - T1550 observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: dest_ip - type: IP Address + - name: dest + type: Hostname role: - Victim product: diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml index c0217beff9..9197b58229 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml @@ -5,8 +5,7 @@ date: '2023-05-25' author: Steven Dick status: production type: TTP -description: >- - The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). +description: The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). data_source: - Windows Security 4887 - Windows Security 4768 @@ -21,21 +20,19 @@ search: >- | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | join user - [ - | search `wineventlog_security` EventCode=4768 CertThumbprint=* - | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src - | fields auth_src,auth_dest,user - ] + [ + | search `wineventlog_security` EventCode=4768 CertThumbprint=* + | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src + | fields auth_src,auth_dest,user + ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval flavor_text = case(signature_id=="4887", "User account [".'user'."] authenticated after a suspicious certificate was issued for it by [".'src_user'."] using certificate request ID: ".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter` -how_to_implement: >- - To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -known_false_positives: >- - False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function. +how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. +known_false_positives: False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function. references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf - https://github.com/ly4k/Certipy#esc1 @@ -46,7 +43,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 100 - message: Possible AD CS ESC1 authentication - $flavor_text$ + message: Possible AD CS ESC1 authentication on $dest$ mitre_attack_id: - T1649 - T1550 From 10cb1816bb2b2650c2659bfe774ffbd82e3e95dc Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 15:12:49 -0700 Subject: [PATCH 12/47] updated another 30 --- ...ss_connecting_to_ip_check_web_services.yml | 8 +++---- ...ogon_duplicate_handle_in_uncommon_path.yml | 9 ++++---- ...ed_domain_account_serviceprincipalname.yml | 10 +++------ ...ndows_clipboard_data_via_get_clipboard.yml | 9 ++++---- ...ential_dumping_lsass_memory_createdump.yml | 2 +- ...dows_defender_exclusion_registry_entry.yml | 4 ++-- ...sable_change_password_through_registry.yml | 2 +- ...k_workstation_feature_through_registry.yml | 2 +- ...disable_logoff_button_through_registry.yml | 2 +- .../windows_disable_memory_crash_dump.yml | 11 +--------- .../windows_disable_notification_center.yml | 2 +- ...sable_shutdown_button_through_registry.yml | 2 +- ...group_policy_features_through_registry.yml | 4 ++-- ...ows_dotnet_binary_in_non_standard_path.yml | 2 +- .../windows_driver_load_non_standard_path.yml | 6 +++--- ...notification_features_through_registry.yml | 2 +- .../windows_iis_components_add_new_module.yml | 2 +- .../windows_installutil_credential_theft.yml | 8 ++----- ...ndows_installutil_in_non_standard_path.yml | 2 +- ..._installutil_remote_network_connection.yml | 2 +- ...tallutil_uninstall_option_with_network.yml | 4 ++-- .../windows_krbrelayup_service_creation.yml | 2 +- .../windows_mimikatz_binary_execution.yml | 2 +- .../windows_modify_registry_risk_behavior.yml | 4 ++-- ...w_compress_color_and_info_tip_registry.yml | 2 +- ..._mof_event_triggered_execution_via_wmi.yml | 2 +- .../windows_mshta_execution_in_registry.yml | 4 ++-- ...ndows_msiexec_with_network_connections.yml | 6 +++--- ...rs_failed_to_authenticate_from_process.yml | 6 +++--- ...otely_failed_to_authenticate_from_host.yml | 6 +++--- ...uthentication_certificates___esc1_auth.yml | 21 ++++++++----------- 31 files changed, 64 insertions(+), 86 deletions(-) diff --git a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml index 9f14633af9..4dfd50a168 100644 --- a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml @@ -5,7 +5,7 @@ date: '2022-06-01' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: this search is designed to detect suspicious wermgr.exe process that +description: This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed @@ -19,7 +19,7 @@ search: '`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfism "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org","*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name - ProcessId QueryName QueryStatus QueryResults Computer EventCode | `security_content_ctime(firstTime)` + ProcessId QueryName QueryStatus QueryResults Computer EventCode | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from @@ -35,12 +35,12 @@ tags: asset_type: Endpoint confidence: 80 impact: 70 - message: Wermgr.exe process connecting IP location web services on $ComputerName$ + message: Wermgr.exe process connecting IP location web services on $dest$ mitre_attack_id: - T1590 - T1590.005 observable: - - name: ComputerName + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index b3513f7bea..b887c208bb 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -17,8 +17,8 @@ data_source: search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as - lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId - TargetProcessId GrantedAccess CallTrace | `security_content_ctime(firstTime)` | + lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId + TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model @@ -35,13 +35,12 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: a process $SourceImage$ is duplicating the handle token of winlogon.exe - in $Computer$ + message: A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$ mitre_attack_id: - T1134.001 - T1134 observable: - - name: Computer + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml index 90d67b96e9..a40a9488a2 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml @@ -14,7 +14,7 @@ description: The following analytic identifies the addition of a Service Princip search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") endswith=(EventCode=5136 OperationType="%%14675") | eval short_lived=case((duration<300),"TRUE") - | search short_lived = TRUE + | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`' how_to_implement: To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` @@ -32,15 +32,11 @@ tags: asset_type: Endpoint confidence: 80 impact: 50 - message: A Servince Principal Name for $ObjectDN$ was set and shortly deleted + message: A Servince Principal Name for $user$ was set and shortly deleted mitre_attack_id: - T1098 observable: - - name: SubjectUserName - type: User - role: - - Attacker - - name: ObjectDN + - name: user type: User role: - Victim diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index 7858698460..dd971026de 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -14,7 +14,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer - user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -31,16 +31,15 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: powershell script $ScriptBlockText$ execute Get-Clipboard commandlet in - $dest$ + message: Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$ mitre_attack_id: - T1115 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: UserID + - name: user type: User role: - Victim diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index cd96dc4215..388dcce280 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -43,7 +43,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index f002641c85..79db164e77 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*") - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -37,7 +37,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: exclusion registry $registry_path$ modified or added on $dest$ + message: Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender mitre_attack_id: - T1562.001 - T1562 diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index 9392c85e6e..f20d3a9cf0 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -18,7 +18,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`' diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index 5c936dac83..40296b60e0 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`' diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index b0c94e2d27..e9f8d6d450 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -19,7 +19,7 @@ data_source: search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("NoLogOff", "StartMenuLogOff") Registry.registry_value_data - = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name + = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`' diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml index 7c72079b38..11f1af2b62 100644 --- a/detections/endpoint/windows_disable_memory_crash_dump.yml +++ b/detections/endpoint/windows_disable_memory_crash_dump.yml @@ -38,8 +38,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: A process $process_name$ was identified attempting to disable memory crash - dumps on $dest$. + message: A process was identified attempting to disable memory crash dumps on $dest$. mitre_attack_id: - T1485 observable: @@ -51,14 +50,6 @@ tags: type: Hostname role: - Victim - - name: parent_process_name - type: Process - role: - - Parent Process - - name: process_name - type: Process - role: - - Child Process product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index 003d3255e9..9771f4d53d 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "DisableNotificationCenter" Registry.registry_value_data - = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name + = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`' diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index 925d61e96c..aced4a6396 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -17,7 +17,7 @@ data_source: search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" Registry.registry_value_data = "0x00000000") OR (Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" - Registry.registry_value_data = "0x00000001")) BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`' diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index 9f258469fd..a8425b3fdc 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -14,7 +14,7 @@ description: This analytic is to detect a suspicious registry modification to di allowed doing this is needed. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\*" Registry.registry_value_name IN ("NoDesktop", "NoFind", "NoControlPanel", "NoFileMenu", "NoSetTaskbar", "NoTrayContextMenu", "TaskbarLockAll", "NoThemesTab","NoPropertiesMyDocuments","NoVisualStyleChoice","NoColorChoice","NoPropertiesMyDocuments") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\*" Registry.registry_value_name IN ("NoDesktop", "NoFind", "NoControlPanel", "NoFileMenu", "NoSetTaskbar", "NoTrayContextMenu", "TaskbarLockAll", "NoThemesTab","NoPropertiesMyDocuments","NoVisualStyleChoice","NoColorChoice","NoPropertiesMyDocuments") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` @@ -38,7 +38,7 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: Registry modification to disable windows features on $dest$ + message: Registry modification to disable windows group policy features on $dest$ mitre_attack_id: - T1112 observable: diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index 0378b37200..82c44f2ee1 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by - Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`' diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index 84653c942e..b531024a23 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -14,7 +14,7 @@ description: data_source: - Sysmon Event ID 7 search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" NOT (ImagePath IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")) - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`' @@ -38,12 +38,12 @@ tags: asset_type: Endpoint confidence: 60 impact: 60 - message: A kernel mode driver was loaded from a non-standard path on $ComputerName$. + message: A kernel mode driver was loaded from a non-standard path on $dest$. mitre_attack_id: - T1014 - T1068 observable: - - name: ComputerName + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index 8366ad24f9..0c29c3da19 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("HideClock", "HideSCAHealth", "HideSCANetwork", "HideSCAPower", "HideSCAVolume") Registry.registry_value_data = "0x00000001") BY - _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index 64e17a86c0..5829dfaca1 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -51,7 +51,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index f569a9fe81..3c07f0d4a1 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -24,7 +24,7 @@ data_source: - Sysmon Event ID 7 search: '`sysmon` EventCode=7 parent_process_name=installutil.exe ImageLoaded IN ("*\\samlib.dll", "*\\vaultcli.dll") | stats count min(_time) as firstTime max(_time) - as lastTime by Computer, parent_process_name, ImageLoaded, OriginalFileName, ProcessId + as lastTime by Computer, parent_process_name, ImageLoaded, OriginalFileName, ProcessId, user | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -40,7 +40,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified + message: An instance of $parent_process_name$ spawning $ImageLoaded$ was identified on endpoint $dest$ by user $user$ loading samlib.dll and vaultcli.dll to potentially capture credentials in memory. mitre_attack_id: @@ -59,10 +59,6 @@ tags: type: Process role: - Parent Process - - name: process_name - type: Process - role: - - Child Process product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml index a87f4d7666..de737c4238 100644 --- a/detections/endpoint/windows_installutil_in_non_standard_path.yml +++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml @@ -14,7 +14,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by - Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`' diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index d17cf16767..758c190a75 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -28,7 +28,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` - | rename dest as C2 ] | table _time dest parent_process_name process_name process_path + | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index c23e7f4a91..ba2ec7e96a 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -27,12 +27,12 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN ("*/u*", "*uninstall*") by _time - span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path + span=1h Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port - | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name + | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from diff --git a/detections/endpoint/windows_krbrelayup_service_creation.yml b/detections/endpoint/windows_krbrelayup_service_creation.yml index c08b5d605e..fb5929abb6 100644 --- a/detections/endpoint/windows_krbrelayup_service_creation.yml +++ b/detections/endpoint/windows_krbrelayup_service_creation.yml @@ -11,7 +11,7 @@ description: The following analytic identifies the default service name created data_source: - Sysmon Event ID 7 search: '`wineventlog_system` EventCode=7045 Service_Name IN ("KrbSCM") | stats count - min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name + min(_time) as firstTime max(_time) as lastTime by dest EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index 9a876ef214..802d9ec98e 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -50,7 +50,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/windows_modify_registry_risk_behavior.yml b/detections/endpoint/windows_modify_registry_risk_behavior.yml index a481d3919b..17c8a72951 100644 --- a/detections/endpoint/windows_modify_registry_risk_behavior.yml +++ b/detections/endpoint/windows_modify_registry_risk_behavior.yml @@ -40,11 +40,11 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: An increase of Windows Modify Registry behavior has been detected on $affected_systems$ + message: An increase of Windows Modify Registry behavior has been detected on $risk_object$ mitre_attack_id: - T1112 observable: - - name: affected_systems + - name: risk_object type: Hostname role: - Victim diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index feca71daa4..2a096012bc 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -16,7 +16,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*" - AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip")) BY _time span=1h + AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`' diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index ef07bafe4c..c5a9740f79 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -50,7 +50,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml index 918dd8bf96..997ece1ba3 100644 --- a/detections/endpoint/windows_mshta_execution_in_registry.yml +++ b/detections/endpoint/windows_mshta_execution_in_registry.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = "*mshta*" OR Registry.registry_value_data IN ("*javascript:*", "*vbscript:*","*WScript.Shell*") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data - Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model @@ -37,7 +37,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 80 - message: a registry $registry_path$ contains mshta $registry_value_data$ in $dest$ + message: A registry $registry_path$ contains mshta $registry_value_data$ in $dest$ mitre_attack_id: - T1218.005 observable: diff --git a/detections/endpoint/windows_msiexec_with_network_connections.yml b/detections/endpoint/windows_msiexec_with_network_connections.yml index 6223abb2f3..297a1abd4a 100644 --- a/detections/endpoint/windows_msiexec_with_network_connections.yml +++ b/detections/endpoint/windows_msiexec_with_network_connections.yml @@ -11,13 +11,13 @@ description: The following analytic identifies MSIExec with any network connecti data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - where `process_msiexec` by _time Processes.process_id Processes.process_name Processes.dest + where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("80","443") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] - | table _time dest parent_process_name process_name process_path process process_id + | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -37,7 +37,7 @@ tags: confidence: 50 impact: 70 message: An instance of $process_name$ was identified on endpoint $dest$ contacting - a remote destination. + a remote destination $dest_ip$ mitre_attack_id: - T1218.007 observable: diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml index 9a1e75e568..4a29accd03 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml @@ -35,7 +35,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events search: ' `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) - as tried_accounts by _time, ProcessName, SubjectUserName, Computer | where unique_accounts + as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`' status: production tags: @@ -46,12 +46,12 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: Potential password spraying attack from $Computer$ + message: Potential password spraying attack from $dest$ mitre_attack_id: - T1110.003 - T1110 observable: - - name: ComputerName + - name: dest role: - Victim type: Endpoint diff --git a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml index 6cc3cbd1e5..53e6414474 100644 --- a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml +++ b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml @@ -36,7 +36,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events search: ' `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) - as tried_accounts by _time, IpAddress, Computer | where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ' + as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ' status: production tags: analytic_story: @@ -45,12 +45,12 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: Potential password spraying attack on $ComputerName$ + message: Potential password spraying attack on $dest$ mitre_attack_id: - T1110.003 - T1110 observable: - - name: ComputerName + - name: dest role: - Victim type: Endpoint diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml index c0217beff9..9197b58229 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_auth.yml @@ -5,8 +5,7 @@ date: '2023-05-25' author: Steven Dick status: production type: TTP -description: >- - The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). +description: The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). data_source: - Windows Security 4887 - Windows Security 4768 @@ -21,21 +20,19 @@ search: >- | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | join user - [ - | search `wineventlog_security` EventCode=4768 CertThumbprint=* - | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src - | fields auth_src,auth_dest,user - ] + [ + | search `wineventlog_security` EventCode=4768 CertThumbprint=* + | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src + | fields auth_src,auth_dest,user + ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval flavor_text = case(signature_id=="4887", "User account [".'user'."] authenticated after a suspicious certificate was issued for it by [".'src_user'."] using certificate request ID: ".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter` -how_to_implement: >- - To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -known_false_positives: >- - False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function. +how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. +known_false_positives: False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function. references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf - https://github.com/ly4k/Certipy#esc1 @@ -46,7 +43,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 100 - message: Possible AD CS ESC1 authentication - $flavor_text$ + message: Possible AD CS ESC1 authentication on $dest$ mitre_attack_id: - T1649 - T1550 From 5a1187f7afcbcfeef4a76c7a5ccf3b762007b816 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 15:58:35 -0700 Subject: [PATCH 13/47] updating the remainder of yamls --- detections/endpoint/windows_nirsoft_advancedrun.yml | 2 +- .../windows_non_system_account_targeting_lsass.yml | 4 ++-- .../endpoint/windows_possible_credential_dumping.yml | 4 ++-- .../endpoint/windows_post_exploitation_risk_behavior.yml | 4 ++-- .../windows_powershell_import_applocker_policy.yml | 8 ++++---- .../windows_powershell_wmi_win32_scheduledjob.yml | 2 +- .../windows_powerview_kerberos_service_ticket_request.yml | 8 ++++---- detections/endpoint/windows_powerview_spn_discovery.yml | 8 ++++---- .../endpoint/windows_process_injection_into_notepad.yml | 2 +- .../windows_raw_access_to_disk_volume_partition.yml | 6 +++--- detections/endpoint/windows_remote_create_service.yml | 2 +- detections/endpoint/windows_service_create_sliverc2.yml | 6 +++--- .../windows_service_creation_using_registry_entry.yml | 4 ++-- .../endpoint/windows_snake_malware_service_create.yml | 2 +- .../web/web_spring4shell_http_request_class_module.yml | 2 +- 15 files changed, 32 insertions(+), 32 deletions(-) diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index db3bdab6c5..3becfe34c5 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -47,7 +47,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index 549be06155..48589143e0 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -14,8 +14,8 @@ data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, - GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | rename Computer - as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser, ImageLoaded | rename SourceUser + as user | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index c7b6fce794..6baffb62e7 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -30,8 +30,8 @@ search: '`sysmon` EventCode=10 TargetImage=*\\lsass.exe GrantedAccess IN ("0x010 "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*", "*kernelbase.dll*", "*kernel32.dll*") NOT SourceUser IN ("NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK SERVICE")| stats count min(_time) as firstTime max(_time) as lastTime by, Computer, - SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser - | rename Computer as dest | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` + SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser, ImageLoaded + | rename Computer as dest | rename SourceUser as user | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your diff --git a/detections/endpoint/windows_post_exploitation_risk_behavior.yml b/detections/endpoint/windows_post_exploitation_risk_behavior.yml index d4d1e3f0ef..ff91d5abca 100644 --- a/detections/endpoint/windows_post_exploitation_risk_behavior.yml +++ b/detections/endpoint/windows_post_exploitation_risk_behavior.yml @@ -37,7 +37,7 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: An increase of Windows Post Exploitation behavior has been detected on $affected_systems$ + message: An increase of Windows Post Exploitation behavior has been detected on $risk_object$ mitre_attack_id: - T1012 - T1049 @@ -48,7 +48,7 @@ tags: - T1115 - T1552 observable: - - name: affected_systems + - name: risk_object type: Hostname role: - Victim diff --git a/detections/endpoint/windows_powershell_import_applocker_policy.yml b/detections/endpoint/windows_powershell_import_applocker_policy.yml index 5246464719..9098f0dbdd 100644 --- a/detections/endpoint/windows_powershell_import_applocker_policy.yml +++ b/detections/endpoint/windows_powershell_import_applocker_policy.yml @@ -13,7 +13,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*Set-AppLockerPolicy *" ScriptBlockText="* -XMLPolicy *" | stats count min(_time) as firstTime max(_time) - as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` + as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -29,18 +29,18 @@ tags: confidence: 70 impact: 70 message: A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ - with EventCode $EventCode$ in host $Computer$ + with EventCode $EventCode$ on host $dest$ mitre_attack_id: - T1059.001 - T1059 - T1562.001 - T1562 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: User + - name: user type: User role: - Victim diff --git a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml index 2c83008555..570044b90e 100644 --- a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml +++ b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml @@ -9,7 +9,7 @@ data_source: - Powershell 4104 description: The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity. search: '`powershell` EventCode=4104 ScriptBlockText="*win32_scheduledjob*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`' how_to_implement: To successfully implement this analytic, you will need to enable diff --git a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml index 9456792f12..dcfe7252a1 100644 --- a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml +++ b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml @@ -18,7 +18,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`' how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. @@ -38,13 +38,13 @@ tags: confidence: 90 impact: 30 message: PowerView commandlets used for requesting SPN service ticket executed on - $Computer$ + $dest$ mitre_attack_id: - T1558 - T1558.003 observable: - - name: Client_Address - type: Endpoint + - name: dest + type: Hostname role: - Victim product: diff --git a/detections/endpoint/windows_powerview_spn_discovery.yml b/detections/endpoint/windows_powerview_spn_discovery.yml index 07538afed4..ba9a92b50b 100644 --- a/detections/endpoint/windows_powerview_spn_discovery.yml +++ b/detections/endpoint/windows_powerview_spn_discovery.yml @@ -18,7 +18,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime - by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`' how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. @@ -36,13 +36,13 @@ tags: asset_type: endpoint confidence: 90 impact: 30 - message: PowerView commandlets used for SPN discovery executed on $Computer$ + message: PowerView commandlets used for SPN discovery executed on $dest$ mitre_attack_id: - T1558 - T1558.003 observable: - - name: Client_Address - type: Endpoint + - name: dest + type: Hostname role: - Victim product: diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index a0313156ac..34e86b6f42 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -10,7 +10,7 @@ data_source: description: The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped. -search: '`sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace +search: '`sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by dest user SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index 6e41f44515..e4569dcb55 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 9 search: '`sysmon` EventCode=9 Device = \\Device\\HarddiskVolume* NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as - lastTime by Image Device ProcessGuid ProcessId EventDescription EventCode Computer + lastTime by dest user Image Device ProcessGuid ProcessId EventDescription EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and @@ -36,12 +36,12 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: Process accessing disk partition $device$ in $dest$ + message: Process accessing disk partition $Device$ in $dest$ mitre_attack_id: - T1561.002 - T1561 observable: - - name: ComputerName + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 895dc5888d..331b1c341a 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -34,7 +34,7 @@ tags: type: User role: - Victim - - name: Computer + - name: dest type: Hostname role: - Victim diff --git a/detections/endpoint/windows_service_create_sliverc2.yml b/detections/endpoint/windows_service_create_sliverc2.yml index adab77dc48..94ae67cf06 100644 --- a/detections/endpoint/windows_service_create_sliverc2.yml +++ b/detections/endpoint/windows_service_create_sliverc2.yml @@ -10,7 +10,7 @@ data_source: description: When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of "Sliver" and "Sliver Implant". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference). search: '`wineventlog_system` EventCode=7045 ServiceName="sliver" - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`' how_to_implement: To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended. @@ -25,12 +25,12 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: A user mode service was created on $ComputerName$ related to SliverC2. + message: A user mode service was created on $dest$ related to SliverC2. mitre_attack_id: - T1569 - T1569.002 observable: - - name: ComputerName + - name: dest type: Endpoint role: - Victim diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 4305460aa6..3b2f77c5f3 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" Registry.registry_value_name - = ImagePath) BY _time span=1h Registry.registry_path Registry.registry_key_name + = ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`' @@ -37,7 +37,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A Windows Service was created on a endpoint from $dest$ + message: A Windows Service was created on a endpoint from $dest$ using a registry entry mitre_attack_id: - T1574.011 observable: diff --git a/detections/endpoint/windows_snake_malware_service_create.yml b/detections/endpoint/windows_snake_malware_service_create.yml index 9ca3fed699..4293b8f6f4 100644 --- a/detections/endpoint/windows_snake_malware_service_create.yml +++ b/detections/endpoint/windows_snake_malware_service_create.yml @@ -10,7 +10,7 @@ data_source: description: 'The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory.' search: '`wineventlog_system` EventCode=7045 ImagePath="*\\windows\\winSxS\\*" ImagePath="*\Werfault.exe" - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/web/web_spring4shell_http_request_class_module.yml b/detections/web/web_spring4shell_http_request_class_module.yml index 992b5aef3d..9a35263a1a 100644 --- a/detections/web/web_spring4shell_http_request_class_module.yml +++ b/detections/web/web_spring4shell_http_request_class_module.yml @@ -11,7 +11,7 @@ description: The following analytic identifies the payload related to Spring4She commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". data_source: [] search: '`stream_http` http_method IN ("POST") | stats values(form_data) as http_request_body - min(_time) as firstTime max(_time) as lastTime count by http_method http_user_agent + min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN ("*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*", "*class.module.classLoader.resources.context.parent.pipeline.first.pattern*","*suffix=.jsp*") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`' From b2dde0e553d376461917b263e587a582058728ee Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 16:34:42 -0700 Subject: [PATCH 14/47] fixes --- .../detect_regasm_with_no_command_line_arguments.yml | 5 +---- .../detect_regsvcs_with_no_command_line_arguments.yml | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index 6c4d363187..c1520beb35 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -13,10 +13,7 @@ description: The following analytic identifies regasm.exe with no command line a and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - where `process_regasm` by _time span=1h Processes.process_id Processes.process_name - Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process_name - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regasm\.exe.{0,4}$)" | `detect_regasm_with_no_command_line_arguments_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index 661356ab72..034ef6431b 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -15,7 +15,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name - Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regsvcs\.exe.{0,4}$)"| `detect_regsvcs_with_no_command_line_arguments_filter`' how_to_implement: To successfully implement this search you need to be ingesting information From 5515264f5c8f05e4aa988561c1e959175f366f54 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 16:43:00 -0700 Subject: [PATCH 15/47] Update getwmiobject_ds_group_with_powershell_script_block.yml adding pipe --- .../getwmiobject_ds_group_with_powershell_script_block.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml index cb2fd1d829..3791014fc2 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml @@ -15,7 +15,7 @@ data_source: search: '`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` `getwmiobject_ds_group_with_powershell_script_block_filter`' + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. From 9edc777c46ca1e49a430f97f9a7ea416b8521f46 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 17:00:51 -0700 Subject: [PATCH 16/47] spl update --- detections/endpoint/sqlite_module_in_temp_folder.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index 2457658008..81afdb7183 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -12,9 +12,9 @@ description: This search is to detect a suspicious file creation of sqlite3.dll data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFilename - = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") |stats count min(_time) as - firstTime max(_time) as lastTime by SourceImage process_name Computer TargetFilename EventCode ProcessId - Image | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") +| stats count min(_time) as + firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -29,7 +29,7 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: process $SourceImage$ create a file $TargetFilename$ in host $dest$ + message: Process $process_name$ create a file $file_name$ in host $dest$ mitre_attack_id: - T1005 observable: @@ -37,7 +37,7 @@ tags: type: Hostname role: - Victim - - name: SourceImage + - name: process_name type: Process role: - Attacker From 81e76b03e7a7202506ff3a10836c399324a8f085 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 17:23:06 -0700 Subject: [PATCH 17/47] fixing up spl --- .../endpoint/uac_bypass_with_colorui_com_object.yml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index e5392983e3..4dc76a4ded 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -10,10 +10,7 @@ description: This search is to detect a possible uac bypass using the colorui.dl where it make use of the colorui.dll COM CLSID to bypass UAC. data_source: - Sysmon Event ID 7 -search: '`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" - NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as - firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode - Signed ProcessId user | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest parent_process_name process_name ImageLoaded signature_id signature Signed user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -29,16 +26,12 @@ tags: asset_type: Endpoint confidence: 80 impact: 60 - message: The following module $ImageLoaded$ was loaded by a non-standard application - on endpoint $Computer$ by user $user$. + message: The following module $ImageLoaded$ was loaded by a non-standard application $parent_process_name$ + on endpoint $dest$ by user $user_id$. mitre_attack_id: - T1218 - T1218.003 observable: - - name: user - type: User - role: - - Victim - name: dest type: Hostname role: From d075e808f98a2aa73a55a3c8f107b29979631e90 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 17:27:35 -0700 Subject: [PATCH 18/47] spl fix --- .../endpoint/windows_installutil_credential_theft.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index 3c07f0d4a1..3518abe2aa 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -24,8 +24,7 @@ data_source: - Sysmon Event ID 7 search: '`sysmon` EventCode=7 parent_process_name=installutil.exe ImageLoaded IN ("*\\samlib.dll", "*\\vaultcli.dll") | stats count min(_time) as firstTime max(_time) - as lastTime by Computer, parent_process_name, ImageLoaded, OriginalFileName, ProcessId, user - | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + as lastTime by dest, parent_process_name, ImageLoaded, OriginalFileName, ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. @@ -41,16 +40,12 @@ tags: confidence: 100 impact: 80 message: An instance of $parent_process_name$ spawning $ImageLoaded$ was identified - on endpoint $dest$ by user $user$ loading samlib.dll and vaultcli.dll to potentially + on endpoint $dest$ loading samlib.dll and vaultcli.dll to potentially capture credentials in memory. mitre_attack_id: - T1218.004 - T1218 observable: - - name: user - type: User - role: - - Victim - name: dest type: Hostname role: From 350cdffdeef1eacd9856d16b8c6b277fc2b1ebbe Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 21 Aug 2023 18:02:33 -0700 Subject: [PATCH 19/47] fixes --- ...ows_non_system_account_targeting_lsass.yml | 16 +++++-------- .../windows_possible_credential_dumping.yml | 24 +++++++++---------- ...windows_process_injection_into_notepad.yml | 6 +---- ...ws_raw_access_to_disk_volume_partition.yml | 15 ++++++------ 4 files changed, 26 insertions(+), 35 deletions(-) diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index 48589143e0..7d3ff261b8 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -13,9 +13,9 @@ description: The following analytic identifies non SYSTEM accounts requesting ac data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*") - | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, - GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser, ImageLoaded | rename SourceUser - as user | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, + GrantedAccess, SourceUser, TargetUser | rename TargetUser + as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -35,7 +35,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related + message: A process, $parent_process_path$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details. mitre_attack_id: - T1003.001 @@ -49,14 +49,10 @@ tags: type: Hostname role: - Victim - - name: ImageLoaded + - name: parent_process_path type: Process role: - - Other - - name: SourceImage - type: Process - role: - - Child Process + - Parent Process product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index 6baffb62e7..da811ce2ab 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -25,14 +25,16 @@ description: 'The following analytic is an enhanced version of two previous anal used to execute this module which is related to lsass dumping.' data_source: - Sysmon Event ID 1 -search: '`sysmon` EventCode=10 TargetImage=*\\lsass.exe GrantedAccess IN ("0x01000", - "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", - "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*", "*kernelbase.dll*", - "*kernel32.dll*") NOT SourceUser IN ("NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK - SERVICE")| stats count min(_time) as firstTime max(_time) as lastTime by, Computer, - SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser, ImageLoaded - | rename Computer as dest | rename SourceUser as user | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` - | `windows_possible_credential_dumping_filter`' +search: '`sysmon` EventCode=10 TargetImage=*\\lsass.exe granted_access IN ("0x01000", + "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", + "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*", "*kernelbase.dll*", + "*kernel32.dll*") NOT SourceUser IN ("NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK + SERVICE") +| stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser +| rename SourceUser as user +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `windows_possible_credential_dumping_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -57,7 +59,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related + message: A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details. mitre_attack_id: - T1003.001 @@ -71,10 +73,6 @@ tags: type: Hostname role: - Victim - - name: ImageLoaded - type: Process - role: - - Other - name: SourceImage type: Process role: diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index 34e86b6f42..21141bab2f 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -10,7 +10,7 @@ data_source: description: The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped. -search: '`sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by dest user SourceImage TargetImage GrantedAccess CallTrace +search: '`sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -32,10 +32,6 @@ tags: - T1055 - T1055.002 observable: - - name: user - type: User - role: - - Victim - name: dest type: Hostname role: diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index e4569dcb55..5c314b0dde 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -14,8 +14,7 @@ data_source: - Sysmon Event ID 9 search: '`sysmon` EventCode=9 Device = \\Device\\HarddiskVolume* NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as - lastTime by dest user Image Device ProcessGuid ProcessId EventDescription EventCode - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`' + lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least @@ -51,13 +50,15 @@ tags: - Splunk Cloud required_fields: - _time - - Computer - - Image + - dest + - signature + - signature_id + - process_guid + - process_name + - process_path - Device - - ProcessGuid - - ProcessId - - EventDescription - EventCode + - Image risk_score: 90 security_domain: endpoint tests: From 5efd19e4a9da3153f44f5ab1997a77a17e944c41 Mon Sep 17 00:00:00 2001 From: Eric Li Date: Tue, 22 Aug 2023 15:44:44 -0700 Subject: [PATCH 20/47] Add drop None --- playbooks/Jira_Related_Tickets_Search.json | 3 ++- playbooks/Jira_Related_Tickets_Search.py | 2 +- playbooks/Jira_Related_Tickets_Search.yml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/playbooks/Jira_Related_Tickets_Search.json b/playbooks/Jira_Related_Tickets_Search.json index 8eb4704bd6..7c1b257451 100644 --- a/playbooks/Jira_Related_Tickets_Search.json +++ b/playbooks/Jira_Related_Tickets_Search.json @@ -469,6 +469,7 @@ "customName": "combine reports", "customNameId": 0, "description": "Combines reports from success path and error path.", + "drop_none": true, "join": [], "note": "Combines reports from success path and error path." }, @@ -529,7 +530,7 @@ "schema": "5.0.10", "version": "6.1.0.131" }, - "create_time": "2023-08-09T23:38:55.771523+00:00", + "create_time": "2023-08-22T22:24:26.619154+00:00", "draft_mode": false, "labels": [ "*" diff --git a/playbooks/Jira_Related_Tickets_Search.py b/playbooks/Jira_Related_Tickets_Search.py index 0a5c31fa52..5051a5f71f 100644 --- a/playbooks/Jira_Related_Tickets_Search.py +++ b/playbooks/Jira_Related_Tickets_Search.py @@ -596,7 +596,7 @@ def combine_reports(action=None, success=None, container=None, results=None, han ## Custom Code End ################################################################################ - phantom.format(container=container, template=template, parameters=parameters, name="combine_reports") + phantom.format(container=container, template=template, parameters=parameters, name="combine_reports", drop_none=True) return diff --git a/playbooks/Jira_Related_Tickets_Search.yml b/playbooks/Jira_Related_Tickets_Search.yml index 3df13e0100..a1075405b5 100644 --- a/playbooks/Jira_Related_Tickets_Search.yml +++ b/playbooks/Jira_Related_Tickets_Search.yml @@ -1,7 +1,7 @@ name: Jira Related Tickets Search id: bd20698c-42d6-45ec-b7a0-fc356d624bdf version: 1 -date: '2023-08-09' +date: '2023-08-22' author: Eric Li, Splunk type: Investigation description: "Accepts a user or device and identifies if related tickets exists in a timeframe of last 30 days. Generates a global report and list of observables." From 0cb8955bb0cb71773274fee319074e805c4c226e Mon Sep 17 00:00:00 2001 From: Eric Li Date: Wed, 23 Aug 2023 14:20:20 -0700 Subject: [PATCH 21/47] Update playbook to fix None assignee and support dispatch playbook --- playbooks/Jira_Related_Tickets_Search.json | 6 +++--- playbooks/Jira_Related_Tickets_Search.py | 21 +++++++++++++++++++-- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/playbooks/Jira_Related_Tickets_Search.json b/playbooks/Jira_Related_Tickets_Search.json index 7c1b257451..d9ad8ac64c 100644 --- a/playbooks/Jira_Related_Tickets_Search.json +++ b/playbooks/Jira_Related_Tickets_Search.json @@ -107,7 +107,7 @@ } ], "globalCustomCode": null, - "hash": "39f254669883d18405a03c2000eef5d9e8fe5829", + "hash": "de0bf40b98d18d786250e8ea9d0c2e46c3017c61", "nodes": { "0": { "data": { @@ -246,7 +246,7 @@ "errors": {}, "id": "16", "type": "code", - "userCode": "\n def markdown_escape(string):\n \"\"\"\n Escape a string in Markdown.\n\n Input: a string or an object that can be converted to string using str(). e.g. \"index=* | top\"\n Output: escaped string. e.g. \"index=\\* \\| top\"\n \"\"\"\n\n # Must keep '\\\\' in the first, because it is used to escape other characters\n special_chars = ['\\\\', '`', '*', '_', '{', '}', '[', ']', '<', '>', '(', ')', '#', '+', '-', '.', '!', '|']\n ans = str(string)\n for i in special_chars:\n ans = ans.replace(i, '\\\\' + i)\n return ans\n\n build_output__observable_array = []\n build_output__summary = []\n build_output__name = []\n build_output__description = []\n build_output__create_time = []\n build_output__updated_time = []\n build_output__assignee = []\n build_output__reporter = []\n build_output__status = []\n build_output__ticket_type = []\n build_output__priority = []\n build_output__resolution = []\n build_output__matched_fields = []\n build_output__source_link = []\n build_output__source = []\n\n for key in process_results__output.keys():\n \n for value in process_results__output[key]:\n # Extract fields from ticket object.\n ticket = {}\n ticket['summary'] = value.get('summary')\n ticket['name'] = value.get('name')\n ticket['description'] = json.dumps(value['description']) # eliminate new line issues\n ticket['create_time'] = value['fields'].get('created')\n ticket['updated_time'] = value['fields'].get('updated')\n ticket['assignee'] = value['fields'].get('assignee', {}).get('displayName', '')\n ticket['reporter'] = value.get('reporter')\n ticket['status'] = value.get('status')\n ticket['ticket_type'] = value.get('issue_type')\n ticket['priority'] = value.get('priority')\n ticket['resolution'] = value.get('resolution')\n ticket['matched_fields'] = value.get('matched_fields')\n ticket['source_link'] = value.get('source_link')\n ticket['source'] = 'Jira'\n\n # Extract comments (only included in the observable object, not in other output variables).\n ticket['comments'] = []\n for comment in value['fields']['comment']['comments']:\n ticket['comments'].append(comment['body'])\n \n # Construct observable object\n observable_object = {\n \"value\": key,\n \"ticket\": ticket,\n \"matched_fields\": value['matched_fields'],\n \"source\": ticket['source'],\n \"source_link\": ticket['source_link']\n }\n\n # Add results to VPE code output\n build_output__observable_array.append(observable_object)\n build_output__summary.append(markdown_escape(ticket['summary']))\n build_output__name.append(markdown_escape(ticket['name']))\n build_output__description.append(markdown_escape(ticket['description']))\n build_output__create_time.append(markdown_escape(ticket['create_time']))\n build_output__updated_time.append(markdown_escape(ticket['updated_time']))\n build_output__assignee.append(markdown_escape(ticket['assignee']))\n build_output__reporter.append(markdown_escape(ticket['reporter']))\n build_output__status.append(markdown_escape(ticket['status']))\n build_output__ticket_type.append(markdown_escape(ticket['ticket_type']))\n build_output__priority.append(markdown_escape(ticket['priority']))\n build_output__resolution.append(markdown_escape(ticket['resolution']))\n build_output__matched_fields.append(markdown_escape(ticket['matched_fields']))\n build_output__source_link.append(markdown_escape(ticket['source_link']))\n build_output__source.append(markdown_escape(ticket['source']))\n\n", + "userCode": "\n def markdown_escape(string):\n \"\"\"\n Escape a string in Markdown.\n\n Input: a string or an object that can be converted to string using str(). e.g. \"index=* | top\"\n Output: escaped string. e.g. \"index=\\* \\| top\"\n \"\"\"\n\n # Must keep '\\\\' in the first, because it is used to escape other characters\n special_chars = ['\\\\', '`', '*', '_', '{', '}', '[', ']', '<', '>', '(', ')', '#', '+', '-', '.', '!', '|']\n ans = str(string)\n for i in special_chars:\n ans = ans.replace(i, '\\\\' + i)\n return ans\n\n build_output__observable_array = []\n build_output__summary = []\n build_output__name = []\n build_output__description = []\n build_output__create_time = []\n build_output__updated_time = []\n build_output__assignee = []\n build_output__reporter = []\n build_output__status = []\n build_output__ticket_type = []\n build_output__priority = []\n build_output__resolution = []\n build_output__matched_fields = []\n build_output__source_link = []\n build_output__source = []\n\n for key in process_results__output.keys():\n \n for value in process_results__output[key]:\n # Extract fields from ticket object.\n ticket = {}\n ticket['summary'] = value.get('summary')\n ticket['name'] = value.get('name')\n ticket['description'] = json.dumps(value['description']) # eliminate new line issues\n ticket['create_time'] = value['fields'].get('created')\n ticket['updated_time'] = value['fields'].get('updated')\n asignee_dict = value['fields'].get('assignee')\n if asignee_dict is not None:\n ticket['assignee'] = asignee_dict.get('displayName', '')\n else:\n ticket['assignee'] = ''\n ticket['reporter'] = value.get('reporter')\n ticket['status'] = value.get('status')\n ticket['ticket_type'] = value.get('issue_type')\n ticket['priority'] = value.get('priority')\n ticket['resolution'] = value.get('resolution')\n ticket['matched_fields'] = value.get('matched_fields')\n ticket['source_link'] = value.get('source_link')\n ticket['source'] = 'Jira'\n\n # Extract comments (only included in the observable object, not in other output variables).\n ticket['comments'] = []\n for comment in value['fields']['comment']['comments']:\n ticket['comments'].append(comment['body'])\n \n # Construct observable object\n observable_object = {\n \"value\": key,\n \"ticket\": {\n 'name': markdown_escape(ticket['summary']),\n 'number': markdown_escape(ticket['name']),\n 'message': markdown_escape(ticket['description']),\n 'start_time': markdown_escape(ticket['create_time']),\n 'updated_time': markdown_escape(ticket['updated_time']),\n 'end_time': '',\n 'assignee': markdown_escape(ticket['assignee']),\n 'creator_name': markdown_escape(ticket['reporter']),\n 'state': markdown_escape(ticket['status']),\n 'ticket_type': markdown_escape(ticket['ticket_type']),\n 'priority': markdown_escape(ticket['priority']),\n 'resolution': markdown_escape(ticket['resolution']),\n },\n \"matched_fields\": value['matched_fields'],\n \"source\": ticket['source'],\n \"source_link\": ticket['source_link']\n }\n\n # Add results to VPE code output\n build_output__observable_array.append(observable_object)\n build_output__summary.append(markdown_escape(ticket['summary']))\n build_output__name.append(markdown_escape(ticket['name']))\n build_output__description.append(markdown_escape(ticket['description']))\n build_output__create_time.append(markdown_escape(ticket['create_time']))\n build_output__updated_time.append(markdown_escape(ticket['updated_time']))\n build_output__assignee.append(markdown_escape(ticket['assignee']))\n build_output__reporter.append(markdown_escape(ticket['reporter']))\n build_output__status.append(markdown_escape(ticket['status']))\n build_output__ticket_type.append(markdown_escape(ticket['ticket_type']))\n build_output__priority.append(markdown_escape(ticket['priority']))\n build_output__resolution.append(markdown_escape(ticket['resolution']))\n build_output__matched_fields.append(markdown_escape(ticket['matched_fields']))\n build_output__source_link.append(markdown_escape(ticket['source_link']))\n build_output__source.append(markdown_escape(ticket['source']))\n\n", "warnings": {}, "x": 0, "y": 1220 @@ -530,7 +530,7 @@ "schema": "5.0.10", "version": "6.1.0.131" }, - "create_time": "2023-08-22T22:24:26.619154+00:00", + "create_time": "2023-08-23T21:18:18.801634+00:00", "draft_mode": false, "labels": [ "*" diff --git a/playbooks/Jira_Related_Tickets_Search.py b/playbooks/Jira_Related_Tickets_Search.py index 5051a5f71f..3ed69e2c49 100644 --- a/playbooks/Jira_Related_Tickets_Search.py +++ b/playbooks/Jira_Related_Tickets_Search.py @@ -262,7 +262,11 @@ def markdown_escape(string): ticket['description'] = json.dumps(value['description']) # eliminate new line issues ticket['create_time'] = value['fields'].get('created') ticket['updated_time'] = value['fields'].get('updated') - ticket['assignee'] = value['fields'].get('assignee', {}).get('displayName', '') + asignee_dict = value['fields'].get('assignee') + if asignee_dict is not None: + ticket['assignee'] = asignee_dict.get('displayName', '') + else: + ticket['assignee'] = '' ticket['reporter'] = value.get('reporter') ticket['status'] = value.get('status') ticket['ticket_type'] = value.get('issue_type') @@ -280,7 +284,20 @@ def markdown_escape(string): # Construct observable object observable_object = { "value": key, - "ticket": ticket, + "ticket": { + 'name': markdown_escape(ticket['summary']), + 'number': markdown_escape(ticket['name']), + 'message': markdown_escape(ticket['description']), + 'start_time': markdown_escape(ticket['create_time']), + 'updated_time': markdown_escape(ticket['updated_time']), + 'end_time': '', + 'assignee': markdown_escape(ticket['assignee']), + 'creator_name': markdown_escape(ticket['reporter']), + 'state': markdown_escape(ticket['status']), + 'ticket_type': markdown_escape(ticket['ticket_type']), + 'priority': markdown_escape(ticket['priority']), + 'resolution': markdown_escape(ticket['resolution']), + }, "matched_fields": value['matched_fields'], "source": ticket['source'], "source_link": ticket['source_link'] From 412a17c496149392001f99d096f983dcacde382d Mon Sep 17 00:00:00 2001 From: Patrick Date: Thu, 31 Aug 2023 08:08:15 +0200 Subject: [PATCH 22/47] updated spec --- spec/ba_detections.spec.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/spec/ba_detections.spec.json b/spec/ba_detections.spec.json index 803617f62c..8c5a297566 100644 --- a/spec/ba_detections.spec.json +++ b/spec/ba_detections.spec.json @@ -31,6 +31,15 @@ ], "type": "integer" }, + "status": { + "$id": "#/properties/status", + "default": "production", + "description": "status of detection: production or validation", + "examples": [ + 1 + ], + "type": "string" + }, "description": { "$id": "#/properties/description", "default": "", From eea790282d826c803e82e030bd09b474c88a0af4 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Fri, 1 Sep 2023 10:18:27 -0700 Subject: [PATCH 23/47] First Draft - No test data --- ...domainacl_with_powershell_script_block.yml | 61 +++++++++++++++++++ ...minaccess_with_powershell_script_block.yml | 61 +++++++++++++++++++ ..._domainou_with_powershell_script_block.yml | 60 ++++++++++++++++++ ...estdomain_with_powershell_script_block.yml | 60 ++++++++++++++++++ 4 files changed, 242 insertions(+) create mode 100644 detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml create mode 100644 detections/endpoint/find_localadminaccess_with_powershell_script_block.yml create mode 100644 detections/endpoint/get_domainou_with_powershell_script_block.yml create mode 100644 detections/endpoint/get_forestdomain_with_powershell_script_block.yml diff --git a/detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml b/detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml new file mode 100644 index 0000000000..0209b6abae --- /dev/null +++ b/detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml @@ -0,0 +1,61 @@ +name: Find InterestingDomainAcl with PowerShell Script Block +id: e4a96dfd-667a-4487-b942-ccef5a1e81e8 +version: 1 +date: '2023-08-31' +author: Gowthamaraj Rajendran, Splunk +status: production +type: TTP +data_source: +- Powershell 4104 +description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. + `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. + Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists + (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within + Active Directory. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `find_interestingdomainacl_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Red Teamers may use this command for Recon. +references: +- https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/ +tags: + analytic_story: + - Active Directory Discovery + asset_type: Endpoint + confidence: 50 + impact: 50 + message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $Computer$ + by user $UserID$. + mitre_attack_id: + - T1087.002 + observable: + - name: Computer + type: Hostname + role: + - Victim + - name: UserID + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Message + - ComputerName + - User + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: <> + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/find_localadminaccess_with_powershell_script_block.yml b/detections/endpoint/find_localadminaccess_with_powershell_script_block.yml new file mode 100644 index 0000000000..7d1a164dbb --- /dev/null +++ b/detections/endpoint/find_localadminaccess_with_powershell_script_block.yml @@ -0,0 +1,61 @@ +name: Find LocalAdminAccess with PowerShell Script Block +id: d2988160-3ce9-4310-b59d-905334920cdd +version: 1 +date: '2023-08-31' +author: Gowthamaraj Rajendran, Splunk +status: production +type: TTP +data_source: +- Powershell 4104 +description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. + `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. + Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context + has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `find_localadminaccess_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Red Teamers may use this command for Recon. +references: +- https://powersploit.readthedocs.io/en/latest/Recon/Find-LocalAdminAccess/ +tags: + analytic_story: + - Active Directory Discovery + asset_type: Endpoint + confidence: 50 + impact: 50 + message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $Computer$ + by user $UserID$. + mitre_attack_id: + - T1087.002 + observable: + - name: Computer + type: Hostname + role: + - Victim + - name: UserID + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Message + - ComputerName + - User + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: <> + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_domainou_with_powershell_script_block.yml b/detections/endpoint/get_domainou_with_powershell_script_block.yml new file mode 100644 index 0000000000..81480ac48a --- /dev/null +++ b/detections/endpoint/get_domainou_with_powershell_script_block.yml @@ -0,0 +1,60 @@ +name: Get DomainOU with PowerShell Script Block +id: 0ada2f82-b7af-40cc-b1d7-1e5985afcb4e +version: 1 +date: '2023-08-31' +author: Gowthamaraj Rajendran, Splunk +status: production +type: TTP +data_source: +- Powershell 4104 +description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. + `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. + Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, + potentially aiding in lateral movement or privilege escalation strategies. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `get_domainou_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/ +tags: + analytic_story: + - Active Directory Discovery + asset_type: Endpoint + confidence: 50 + impact: 50 + message: Suspicious PowerShell Get-DomainOU was identified on endpoint $Computer$ + by user $UserID$. + mitre_attack_id: + - T1087.002 + observable: + - name: Computer + type: Hostname + role: + - Victim + - name: UserID + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Message + - ComputerName + - User + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: <> + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_forestdomain_with_powershell_script_block.yml b/detections/endpoint/get_forestdomain_with_powershell_script_block.yml new file mode 100644 index 0000000000..861ea75471 --- /dev/null +++ b/detections/endpoint/get_forestdomain_with_powershell_script_block.yml @@ -0,0 +1,60 @@ +name: Get ForestDomain with PowerShell Script Block +id: a14803b2-4bd9-4c08-8b57-c37980edebe8 +version: 1 +date: '2023-08-31' +author: Gowthamaraj Rajendran, Splunk +status: production +type: TTP +data_source: +- Powershell 4104 +description: This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. + `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` + is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. + Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `get_forestdomain_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/ +tags: + analytic_story: + - Active Directory Discovery + asset_type: Endpoint + confidence: 50 + impact: 50 + message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $Computer$ + by user $UserID$. + mitre_attack_id: + - T1087.002 + observable: + - name: Computer + type: Hostname + role: + - Victim + - name: UserID + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Message + - ComputerName + - User + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: <> + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: xmlwineventlog From f3876753bd813ab101f5fdcfc72c53095a3ab736 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Tue, 5 Sep 2023 16:30:23 -0700 Subject: [PATCH 24/47] Update dataset --- ...d_interestingdomainacl_with_powershell_script_block.yml | 7 +++++-- .../find_localadminaccess_with_powershell_script_block.yml | 7 +++++-- .../endpoint/get_domainou_with_powershell_script_block.yml | 7 +++++-- .../get_forestdomain_with_powershell_script_block.yml | 7 +++++-- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml b/detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml index 0209b6abae..6ed44ce890 100644 --- a/detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml +++ b/detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml @@ -19,9 +19,11 @@ search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainA how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Red Teamers may use this command for Recon. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/ +- https://attack.mitre.org/techniques/T1087/002/ +- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview tags: analytic_story: - Active Directory Discovery @@ -31,6 +33,7 @@ tags: message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $Computer$ by user $UserID$. mitre_attack_id: + - T1087 - T1087.002 observable: - name: Computer @@ -56,6 +59,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: <> + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/find_localadminaccess_with_powershell_script_block.yml b/detections/endpoint/find_localadminaccess_with_powershell_script_block.yml index 7d1a164dbb..163fbf262c 100644 --- a/detections/endpoint/find_localadminaccess_with_powershell_script_block.yml +++ b/detections/endpoint/find_localadminaccess_with_powershell_script_block.yml @@ -19,9 +19,11 @@ search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Red Teamers may use this command for Recon. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Find-LocalAdminAccess/ +- https://attack.mitre.org/techniques/T1087/002/ +- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview tags: analytic_story: - Active Directory Discovery @@ -31,6 +33,7 @@ tags: message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $Computer$ by user $UserID$. mitre_attack_id: + - T1087 - T1087.002 observable: - name: Computer @@ -56,6 +59,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: <> + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_domainou_with_powershell_script_block.yml b/detections/endpoint/get_domainou_with_powershell_script_block.yml index 81480ac48a..012faf0e6c 100644 --- a/detections/endpoint/get_domainou_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainou_with_powershell_script_block.yml @@ -18,9 +18,11 @@ search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators or power users may use this command for troubleshooting. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/ +- https://attack.mitre.org/techniques/T1087/002/ +- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview tags: analytic_story: - Active Directory Discovery @@ -30,6 +32,7 @@ tags: message: Suspicious PowerShell Get-DomainOU was identified on endpoint $Computer$ by user $UserID$. mitre_attack_id: + - T1087 - T1087.002 observable: - name: Computer @@ -55,6 +58,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: <> + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_forestdomain_with_powershell_script_block.yml b/detections/endpoint/get_forestdomain_with_powershell_script_block.yml index 861ea75471..740f2e41f7 100644 --- a/detections/endpoint/get_forestdomain_with_powershell_script_block.yml +++ b/detections/endpoint/get_forestdomain_with_powershell_script_block.yml @@ -18,9 +18,11 @@ search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators or power users may use this command for troubleshooting. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/ +- https://attack.mitre.org/techniques/T1087/002/ +- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview tags: analytic_story: - Active Directory Discovery @@ -30,6 +32,7 @@ tags: message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $Computer$ by user $UserID$. mitre_attack_id: + - T1087 - T1087.002 observable: - name: Computer @@ -55,6 +58,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: <> + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog From 566b6b54eac547778ad6dcbdb4ea25979a7104fd Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 8 Sep 2023 10:13:28 -0700 Subject: [PATCH 25/47] update baseline time and text --- baselines/baseline_of_smb_traffic___mltk.yml | 2 +- detections/network/smb_traffic_spike___mltk.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/baselines/baseline_of_smb_traffic___mltk.yml b/baselines/baseline_of_smb_traffic___mltk.yml index 7ea60c16d6..ce1fefe218 100644 --- a/baselines/baseline_of_smb_traffic___mltk.yml +++ b/baselines/baseline_of_smb_traffic___mltk.yml @@ -14,7 +14,7 @@ description: This search is used to build a Machine Learning Toolkit (MLTK) mode week. search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb - by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval + by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name("All_Traffic")` | fit DensityFunction count by "HourOfDay,DayOfWeek" into smb_pdfmodel' how_to_implement: You must be ingesting network traffic and populating the Network_Traffic diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/network/smb_traffic_spike___mltk.yml index f0ca4f0bfc..9d35639205 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/network/smb_traffic_spike___mltk.yml @@ -16,8 +16,8 @@ search: '| tstats `security_content_summariesonly` count values(All_Traffic.dest | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` ' how_to_implement: 'To successfully implement this search, you will need to ensure - that DNS data is populating the Network_Resolution data model. In addition, the - Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your + that DNS data is populating the Network_Traffic data model. In addition, the latest version of + Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search "Baseline of SMB Traffic - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by From cd6b8bc7ba3c39c7a868506938ac3943e9871d23 Mon Sep 17 00:00:00 2001 From: Kelby Shelton Date: Fri, 8 Sep 2023 14:20:10 -0500 Subject: [PATCH 26/47] Fixed automated enrichment to reference renamed playbooks --- playbooks/Automated_Enrichment.json | 38 ++++++++++++++-------------- playbooks/Automated_Enrichment.png | Bin 75892 -> 91352 bytes playbooks/Automated_Enrichment.py | 32 +++++++++++------------ playbooks/Automated_Enrichment.yml | 6 ++--- 4 files changed, 37 insertions(+), 39 deletions(-) diff --git a/playbooks/Automated_Enrichment.json b/playbooks/Automated_Enrichment.json index dec983d0d9..0a22707539 100644 --- a/playbooks/Automated_Enrichment.json +++ b/playbooks/Automated_Enrichment.json @@ -4,7 +4,7 @@ "category": "Enrichment", "coa": { "data": { - "description": "Moves the status to open and then launches the Dynamic playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.", + "description": "Moves the status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.", "edges": [ { "id": "port_2_to_port_3", @@ -42,7 +42,7 @@ "targetPort": "2_in" } ], - "hash": "4146fe0c2400673f09352662ce5bfd3438a80b71", + "hash": "adfc98a6d4636d6c91f53bcdbe09e7cf6398c8c2", "nodes": { "0": { "data": { @@ -58,7 +58,7 @@ "type": "start", "warnings": {}, "x": 19.999999999999986, - "y": -6.394884621840902e-14 + "y": -1.9184653865522705e-13 }, "1": { "data": { @@ -79,19 +79,19 @@ "2": { "data": { "advanced": { - "customName": "Dynamic Identifier Reputation Analysis", + "customName": "Identifier Reputation Analysis Dispatch", "customNameId": 0, "join": [] }, "functionId": 1, - "functionName": "dynamic_identifier_reputation_analysis", + "functionName": "identifier_reputation_analysis_dispatch", "id": "2", "inputs": {}, - "playbookName": "Dynamic_Identifier_Reputation_Analysis", + "playbookName": "Identifier_Activity_Analysis_Dispatch", "playbookRepo": 2, "playbookRepoName": "local", "playbookType": "automation", - "synchronous": false, + "synchronous": true, "type": "playbook" }, "errors": {}, @@ -99,20 +99,20 @@ "type": "playbook", "warnings": {}, "x": -1.4210854715202004e-14, - "y": 325.99999999999994 + "y": 325.99999999999966 }, "3": { "data": { "advanced": { - "customName": "Dynamic Attribute Lookup", + "customName": "Attribute Lookup Dispatch", "customNameId": 0, "join": [] }, "functionId": 1, - "functionName": "dynamic_attribute_lookup", + "functionName": "attribute_lookup_dispatch", "id": "3", "inputs": {}, - "playbookName": "Dynamic_Attribute_Lookup", + "playbookName": "Attribute_Lookup_Dispatch", "playbookRepo": 2, "playbookRepoName": "local", "playbookType": "automation", @@ -129,15 +129,15 @@ "4": { "data": { "advanced": { - "customName": "Dynamic Related Ticket Search", + "customName": "Related Ticket Search Dispatch", "customNameId": 0, "join": [] }, "functionId": 1, - "functionName": "dynamic_related_ticket_search", + "functionName": "related_ticket_search_dispatch", "id": "4", "inputs": {}, - "playbookName": "Dynamic_Related_Tickets_Search", + "playbookName": "Related_Tickets_Search_Dispatch", "playbookRepo": 2, "playbookRepoName": "local", "playbookType": "automation", @@ -148,7 +148,7 @@ "id": "4", "type": "playbook", "warnings": {}, - "x": 0, + "x": -1.4210854715202004e-14, "y": 660 }, "5": { @@ -215,16 +215,16 @@ "y": 148 } }, - "notes": "Actions:\nDynamic Identifier Reputation Analysis\nDynamic Attribute Lookup\nDynamic Related Ticket Search" + "notes": "Actions:\nDispatch Identifier Reputation Analysis\nDispatch Attribute Lookup\nDispatch Related Ticket Search" }, "input_spec": null, "output_spec": null, "playbook_type": "automation", "python_version": "3", - "schema": "5.0.9", - "version": "6.0.0.114895" + "schema": "5.0.10", + "version": "6.1.0.131" }, - "create_time": "2023-03-06T21:07:35.539177+00:00", + "create_time": "2023-09-08T19:06:44.883418+00:00", "draft_mode": false, "labels": [ "*" diff --git a/playbooks/Automated_Enrichment.png b/playbooks/Automated_Enrichment.png index b1a332e628ddba8c34e009486274c23539892011..42d3904f611eac6522cbbf6ec4ef6faf0e1b94ac 100644 GIT binary patch literal 91352 zcmeFZ1yq#pw?7I4NQjhD5)vZPrAT*34blyw;7E7p2!aX%k|HyJA|Tx$jew+t(mj;G zP|^+mXZ-s8#W`o)`@i@6*ShPjbyy4DnfHBa?`J7+_E(Pl2k zf@sS*J-dH}i7k{$#ydwjma%$LeVwMh%-L0ASj^?5 zEi)3Z=(iK#w$ylmIOgZ5)~FflO}-do6H zUQNy?U)z+h4KIy1CV7ouvp5xrbXJ^?U06g2TQDtR2e-;0I+M1En53|<%)ee$Bf@6t z^66H2{zx>8a#{6ZFj-&HyggfC?7TYLbVjjCBusvi2+IiBonVEN?n1a7$zm=%*uVUI zRI!!%6;{8M%$mgmemJSirB=^=CE^m(wB(}@=>E(dA^f}5lWVg1h=>m{AZEvJt34AC2OI42Bo5MrC=5g_HK~59-Ce|b~~A@ zX#4pvOl6dtGANNt>oDP@hOb-gQO>T#5`hS3fO>`qy8zxJ&Q^WJ=7py(?lO5M{$x|g zwO68AD$c;Szgg<-bE;3)ep$g%Ry831wi?CtqEbGt7?N+)6K`1;6!LyGG$UG_tpkho z84bv#5tltxm>#iRStj_HqlM!(d-<7syjy!Jp@Iq_Cz5ooIo*5F5W(3Stv5DL_3V^i z)Cs$!w*0p2T`Eo9(97C6(Xf}7A74#ynfqEj`NGgz;*f$2Z+SF9RaU=f1e=4rmzujmwtlv7ZeARmVx1r@WpAl|?YJZ%cn6>R zC3EY;M~W1s{owuPA9!RM>trGkI&A|!W-Pk z+p$Jh@hmQ~HW3V09T{w~5Ds&lHx*S$k}L>*alI#;xg-DC%LpPaa>D>c=r7AefKASH z>E^RL{3J?gI3v}#>X3mZ`v*i_Unq(x^6}`Jo)j~zK~7|FM2Mlm11QL6+(Njx^PW4L zI-R->CygAJnfXp=6b;Lh7kB4gd}dK^y+J7ZA;$aWl}?#ba&i{=EM~VDS1a05seOK0@fA;oO>-TS-vWQXjD6xO|x@_uBUUR)b z$?L=3GT|=7_sY70MS1{D(;$DqH+r|`w={GSUw)Kut3T^$>MAD6zn<6fZq}{gna3l^ zQDwx70hdb~xCYK5si8Z+ULF$rGdEDpM2*ZB98#WQPe%l?_7k+>DnBEI%im|Sx_XOT zm5?&DAT%UY=a(6prH+;2<*|av2Wo%nffv=SIjzrIJzA$)=UYkUSRdVZsUUb$H1_nq zz)jwq7+qCk`EeC7r5bfKO8`^eo1Tusg$J%;Mhd*l1~FbS(Xo7SX|d8e<+q2g-B2Zd zu9+-nq&_BRlV$qRT}w)*BBxSU+Lq;Rl2}U3J7Z-@#d@`XjI69D?|&9hW#7_G$*eSX zh#ohpz_-0IaXpN2-tjf7z(3p81rj#+(53yM(mm6m>zOsIEU1~k#l39yU zNXD0uw>erlT175K^O?642aMw~MWJPeWpZwfKNWizd0r*HrZS1hyDOikou{%Irk^Hk z<`?Q2=?UMLTW1(wDoQ%N?jp4jO@ed<8(JK?nZo4~s)T^5VjfEFBFFMJF$-czk$)m$e z8Mmh&ev(axH>H1jSoP&@h-MgZ3t5XqOJ>-Wu!BfvR{RW+3>Br-*HGF$;vojKc>KL` z`{joBRj;)kfHDpYJ#wLBX}+C0gLMu}Y9Cft4n z-}04=G|F--Y8*65o)|9~7L`gpKAUbEzV-D+WYfDt-VXNkQ_{*^+has536~t*yn9iF0-PV?~`&< zPipSg)Vq4QQ-3b$pji~?%lJBlGn9*NhgW6+q6SsRpS@Q zcIryN=t)L&w&wdjskBCar2me;*P#@hjkq?yYj=loAXT7gqedX|ocMzH;`KQa`zQ8f zFgiFKo(Ml}Du8Pm?dO{gLx;PWl9*KbzoZ}7-`IEG-+IU`!u^^1v!nw1O%5xEj{nPx>#W|MkErhdgX4P7poYh4npjWc*HFG`kRj~W$YbCcZ-Vv@vq80n;r`GbP z7h2uQQ?Dzds1)zD2Gc;lZNK#^sVuqrnDi_8{G)l!`PA0v7im;Mx8SM#QkKfiwXNx` zUtfB~uEkoZ@N~ZGd>m^RJClu@&8@bg&X6i5xhMBd>m7fA05U!m(Qvok$-QGaA)~g< zJCcLJEg*k=wDWP_YoY5&(i#x8&|XJv^3FLvU|VVJar0rHAd&n0ISvI5h9DluqDTifHdm3DxM-~X|^CQ z>}sZrbd`^+T~{lh{78Nux$sdfQ_c;XqX*Pnr%x-X%-$bn9wz_zvaj~erlz*ohZ~O5R^A&TVCP6 zI^yub0XZ>WRWrR3na zp(B9jB>7~O#PG%^vHQ}7`q6`$Ihzh0Hp}+vc56>xJ+-yjcaZY#IO?x#`5Dd?z06?b zAMfkF@%{Yq*Y@M6i0A`Eht$?5YyWO!Tn>9tWm`pM+A9f$m>yJ2urpmctDF}Rz(5Z6L9Ai-^~xnkLl zVI;0_rcU6e(vrq`53Fk2slLX{{bUDeCR4)e4%g~uq-8eyb z=R?CO;}d(T+qoBe&G*8bD(gLhCVo&)cwLx%sqNeBmZAw9J%4kw^({MIQ&U>=Snjy= zIPYxar_-C6jeY9fgNSO1!Z`!15Xzn|2x?Cl>!}S^|Ljqun6b~f&NT&}Cwff3(u%hu zKiy8n8vJr`@R{+@%MB-3(gd}28EqGZ&6Ida=EFUismV*LO-33nh4IuZ68QF!NAHYc z2+uXNQbmJaoGejw=uLg;TW`b)O!c=X=-Uwm0mUn8LzO2Q8d#j*GXWMZ_H`^g@Ch6I zN@3IeZ7iJM_aRtV;Wk*ff7(F774s7VeldOiy5hu!Vc~;s6yVo89rAZ;2qGQl z@6VTLz%wja9eEWMaMgM2YHjW4_SDJ!nSEe9xIyTA-^dLMi;4~Ni>;!4^A{L@#75W9 z-B3ea?6H#rucejKBWqr72WQMUSQ6f1;G=`JyCsvigT14hn71U$?-pX&jy*r2Nf=C0TS8*giSBLy1=z%ww1 zl)znKeu>{5{?ns>PWdlg4gc9ySXks=d;ZIl|JYN{&DvGo$pOsiF7?m-`qTMeAO7hm z!G|IJUs&-MpMT#4jFuvj;QPm>NfBWUnka&Oq_0L zNZ}iN)BV02A(^(y{cVC6Wqdkyw+uYfFO>^n3oO+tzW4n6x_hToyxhEMs}^fF;hy_X zykJs7uL9SmHuUTTA3A3jGX-No2>$wmdLx4eA7C{iiTKB@hlFGz$pn9%gO;g8WFnG_ zi>QCz!G-?(N9*9=YzQt?(??X~?;(S+;Blh=GD8j)d_c#XBxoIRBjN|9<*Zyxy>|Eoci}O5%Mrw=$i5x96VA*SQ1$^qNdjM{S_ILGZnnOaGGFu)qwqOz_GWRbJQzvfLayO3o7*V z3v6GiIITSC$0I<<-gr+_>4ZvWo@Bb#;*#A>!1TZv+k^G{wzZn7--Dv1~+x$6>XePQ;8K3jYT&Zy)ec;!L@E`=_i4}u&+j%VYtT)lmZ0y;C#c6N@Nwi zT9IQ>ST$%9E=){u35+E51T!mK4)2s0VR?9>{pm6D$?W?)A1aZ(fd_I-LD&%3x&EL6 z5Z0Qjzl5AUM@Y=&!L0NI2yi%@<>f-iWSBmJQxHR9ikqT=ibSP{)vMw57DqF!D`Uaa z3CKi31S!fxe)o`h4=>BgQsU&|!Wp>{cge%kQ`N*I9X2pW(=WON%>dMbaGUD`4i)7q70DOn{gw*;i^c;UB>cT%nvC<@^W*n1~f8` z^xk$S^2|GU1hSIJq~8Wy((+$3l>=8o0a0BWpeIz6AuyYtSCwU%dI3cu(SgOsP!#d7 zcmKOkFs$em0>r7$CfNvMoH5UUb~<0cP86YXc__p-RX3-nCR+qFQ< zzXH-DD6KBE0ZD3Xoi3`kWKinb6e4QEnIdG65=tiLHqT|85f=yy6&8AlTqMp7Y}+OT zLU4@>90>iGGc`7FO}N?4kqp+OqJrWci=UGrXw?sHqMdk8YT8bSfYVW2S3s%vVnf&) zF9T`L$AXs`%I@?Rw$%u44K4l|hvAl^P)%9(-P`I6)Pr(}Rgd_W}c z|6?Kp@q6Pm#blvUD~E_*(Ng>PKD#CDZo^!9co105O;Hla7KS*lwUA*q2&`WzbpP;t zDDmhL^zI#@C%v%|eASalS}e}T&EHhWUX%mcezef#_L7Up-!@**JVaLf&9zLxvW(7UJ(b!Gk-|)Y!mc%n) z&ZlhIr*btjH&@ko!g#TuYMMj&st7v-4%FTySHnkRw;?d@aLG|5i7iUkwpwb_XDhns z_Lv^D2xlpD$}<71!Tb^leg9&p$Zl~F+p{H>^}UnLdbL~7$*FPAnX|?>;+r)Fep8!r zo743R1vzmA1G&X@tD!1^_uxCsWQJffABNxZyu#|-=GYN3Gs}eEYwtVZ)QFt)pRX8J zvm``tTAk07X{tmsN|t(bjwSLqOC427cfS?LC=in+KuoX|_MV@Ygct0Si6GxU#=}+v z;-^6H3UK!}tE@OZ7(ceTn+qW=c7VU#Bc$o|ZDM?UA%s*qHt{DFY@%)7vwF9bOX0c5 z!S*;;pW4OwS%C%^mYqH*-_&#EtG*urV&lyt25fQ&dl}Phum|apxa-cCb4SF7vlP-; zZ{a!R0b5l-B9VeNMQ7G~=%HSkk3|UQ=92BHvIc82a*gL2da#zTE5p(`$3=}&dcBgH z&AM8Qehad+qOKozS9Bf+w3TLL$PX8qacx3Vc)g~5qA6YV7S9f53>@puVZDL2*28|A z-ChkRIMvI|J60oRo=|$2+bWGRqenis;jf(2)f<}k8v_F}3k!S4Q^%_-D(+U;o}C_l zZ}0w~c-#&tC%Q)Vq8M{eyVG8D?nTSuc$)co;22S9TF`klF|DA&#Q9!EblJYo!TN|>;7ytJ!wS~uH`Q)S zHtp%bGNyo)F0?DCgSaNzQ-N1zm%C|221<5(`u%8dvTKf3z&Y!$sePhhH`g@_@mZR( z*+$7X#${!(^{#T-rv~hM<-5*|8^daAnyVepsGX`cQ%`G5ooB&gP3b+-6`hH8PJ{c; zch^nwp0`q)d#m&weaCZMP9l9n=X98?tE+q8+B&l=s4_tp<^OXf$k=K9ASdVhzES;? z*Oe1mFN15mT{0?PLm)2XKowYj44KjFgTUllyt5BpzmzuR>FI%v^-+$$w+sK0fq)Bn zJlDy|WQ51BDy8#Zf>K_;KoW%P?RgyIx+DZ1bZjmzRZadJk2OUKtZQ)5`RmEdkX z9AcpLsF_HgCeoCAW;0!Pr zi>t_{XvV#z!gbU#+;~D4Yuabz<@hSt<+9*3xDYVsr-;km%j3Avsg^Q|tD4#Cy&0x( zp)=bj=;{<(KLb)fgL>DX%UVE3ak*P;Zwn#N-%=?>9ROT9UkL4!v_E5S*WO_b5^6`rmlMdnTQ!pK1&QR4hzo= zyn>ttvLdn-A=%k=7W5LgaTvoqaoL<}icA9qVyB9pb2w-DesF|n-&Q%M)TMPD_f=VxWvo5YN=ga}pMk&x-BniYflQ$>`e8+(+!h2y)Y zZkpXF*^vCCl&jGy<9;)Ij=b7*Q*fOr-OR#gPfRAGHMNWKoNgZP4)or3W3%;d74h4CgG1F_ozx_2E53i$b%F-F^@TX=$O9dRgtLQBS3(3>f z@zvbo&RZ!R-F)ZmV}T=62c7i?XXBiW+dtfTVajfJy$qi39!~Xa(BJOv!dpt?%1-lq zwWBI!por|sXCiaKmd1g#a;%uY0a}U$d#rvJB1??O+_c_c^`#XVGMkmIJ|-$4N1KEX zjwsY5Eu{v@2D(oxZfI<;4P3-(+++A@uVX-&#ACwCfMocvA=bE+Ws+apK1A6&_@OW! znku1KIi4$f^6e=HWJ$_zlg(@DsCzIcKMn1V_8Vf`iu^tg6;aep#)FGsLJ<-4mo*`{ z(A#;6Rej(Tv}{_VbPaHa625Fu?G;GkGi)bB7JF`p&LlYn>_q0*);MkZ%vQt7=|W4_ zAG~TZGBa~9(^yBBeUJzjN|BhDV*x=__kH}vG~8ZPwAPyOeUv&$brO8%?c=D}yu#0e zK6P*WVsn%)Yxta9sh;byQ;_tQoNzt&S?W+>XXLB*T`^F|)<|K_MtEjbbT5B5>2TU; zH1Tt;6|3~k|Bj8n#%`-Zia^u7<~?!Qw&NUHJ*vwrL|P#4*@-d)Ny@!{QW|hJ#=b&%{d6;jNeMeaM z=jk^qTZ=s%$@a40K(e~yy6ofeu3g2c;5(j^G|57+RBjas<$={qCyPCgq_cv`Pr@Zk zWH4a55X#bq0l?3(lX$8j*RdBUNyd={`u39b&8Ok47;h7pc8)JZz@@wmTuHL1DOFx@73IL^22N!1 zwVTdV;&G!luz@A{_K!%Q1q^VDg8R0QpgY}8E7iHLX{D&U){6H$mn zAXV0)u>jY8$~*wwWoZe=XTkh&*KnaQ)#7JZ5Ii8umqQ;{#a;&9FYwzUfJ=A_j}Y;- z_vXGb7I0YI{)1Bh$rfTWl*NKWfJcqjTw>A*u59d!!5B9>?imO@U=$|+_W*ba*)_nf z2TIR8MIg7}I_q~HwG!lf`sBPH-KDCd6K6kK%*;9U{sv(4CD4wxU({M3T=l7h6Lp&I zIPY)HSPV*Q8IO;TTODmLYN06tz@&m;?cKq>9A#j#veM!b1c*~~D)jJr$H$Fxa&tLh z0})bQ%F5y8m6fV)Zf@V(=dduS%fBz?IiMW|$lil6lk^?BibIx{dRj`%UZir(b9UvqF?;mD<17ajdik005c>m;GG1vvN z+X|r7i|Z%e%m4tAOL$C$2@PIFBQd}SkdT!J#oA8*k;(YM128~>kj5z30)lHmh`1GA z2h@@M;&v9k6X`WRF~58WMOp~Vhy$^kvvUji9Nm0bAMw<+^3@K z14|?F({q`75XoHM4ivL|`E}a~peXYkxb$X^mMmglulr&d)>x^uRca%n=Udg8T<+D> zJ!H=3p5|xTNQdj<3OL8fgRS)Xl1>ewQn) zI(jhRwSfhayK36AR^Mi7+++KguE=KMHU^y3qGEDZ@^N3GgAllL6!!>E+$wy6PMe?f zE0SD1-3c09lzLw0JmKKg!BvEwbzS+vwtaq5MkGpqg6aGourSPZ^ywW;;LC46F#Cf) zFfX!YGT?yEdcd+pu#&pe(&cf6|E8aG*XUlxMd0n%5!BZ9u;0tp1IyM`P7DOgu7XHX zSa26FeXLjf!RTK+6L`{5z2sjs5wH`mWl%N4!`En}L%god!hN!rpvs$U?o1jGap3-i&^-$r{c zVc6XT*nK;iH$WZ>?uch=YirdU`qF6inj6mdydtQ|-EK?0Z}2Yv z{JV2JrZc12aTunveeF7lpfjo|-=oTwhR;HLF34(*@oH&9>bS__Ue0zj`vu#Lz}=a_ zTkA{Pi`~}4`77hXM3^P~6*t%%zr=!=5q+Y2;W=ulyfRT`k>qiSn1%@ikOlSvwjT#a zMvV5}rI=VvpW+EVZsRs8d8C+hQfOYUnx&c6_FB%2XbT_}3TD8(?U82%5irFh$rPE_ zTTk#gu%8_t^yLLMBXw;h5$f`h&@CbFn*#jnU&yMiXlZI0Q^&H-KFFx4laRXP6L}M>d%SGH_QM z++7Ppkgx{J2mtCH?T%6dtn;5R_wD;Y%ahTG18M#S_F5nf%N-c!Z(x8Y=7SgnJ04gZ zA8=*}Xn@>aDgK0kIY)sJ&ce|25Kwie=>sR`BQUzjnB5MB1CxRkk&F4r1Bm9toVZJ% z2M%{G28yi&1Lpjv0sjI)Nn9TfP}tZwdUgdC_LG>={lV%x*0rLVIzKNkQrCw`v$ZLD zwc(JO$?*MUFHTv|<-d~&nM{485SVNJ=NKl61)tmtr6ZkYd9OD417IRRM&Yfu7!RZO zGQ^joV<)63nVt*64%fLT_=*z^(hF-KEXgYx>DB!MgFgF{Sy{AHfeJH z!^p4f*3Zkme`WIeAlZS}G0vLI9bC{LgISpm2>M?zw^RUdzaIntRDf0-qYdOxRuunR zTH(LLzyDIr{Lg^@-wO4AYg150DEp^0n@snFdEO-ce3HGkM6}*t@h3|hJ;}I8fQVGv zaQSX`sPo9w9VYRsA8(feu5<7UB#S@%2T8w7$ReAXee4u3%_aewx`V9O#;noHm)Qez zzvcXygfs!7vxLQ&LS%2oSmM`x>i%wEqiT+Q*VTVRS5I4*{-m iv@wp>1pjpO^2R zatQF&2>muQon=iqX<-zA-(*+duDHEVJHB83NB&52hFqq}5EumYHWG}X1hx|wbNzp1 zJO4+h|9>ph|JxqYf3?frR3dcO+r&FwYp8w9tRCYysg@IWclb;2cUY^GMIr3-v3{nz z*U#f=sHbRuyHg6NK}iX&t%y(mF6nb}&+f-8<($(kY7&xyrc)tJIey;ykLFhX-Mb<{ z;6l%;s7NJ#;O&+I6IIw?F0NBOt)0y<&QI`L@LwLinaH4r$GLP$^7>v0QjLt*i2UtN zZF4)Lv)_jTpGZMIogOZ9-E|iNoKbE77w#+%faEGa2_+{r~)bsil(*o^sF81ot%>PR!3GS5!%o5&C86ZgPgL;o&)$x=3mM= z;Q0^_50BFMs9LLl9{2fj8z(h2wTKnRL15i*S=a#?lQBP-0dk@*W41^y@zhx>+^EK$ z!{A;7g%u1O{aApUsb;8H02uEkB=d7u=TJ{9F&;j^f?fdMnpH5y9S0j%mFvMbJ!qk0 zq9?b=bqGPI1@QjQ1wP^vFrnZw0tTYhH7j3&o$uq45mbQT23wTpfhJLd%N4r1dJJ@v z&yE6pg8`omm7_dagM*hK&rKH>&{<0@&4hrMP!I!enCCT^=Z?IhJh@D|DdY$<+LLOf@Es6m(10+(l7?;k1s24b zvSW#p-QZrgm;!PpeDaS163iKoSUviAjQ+r~#3D+=lXCSMI9kQA{gCwN?AZzLsY- z9;Nn2f;RT{@p^g2KP<9-hgrse(W|rBJ0PCZNOziP7*6;m8*&NeC%RN=-JSTVX1m&V z4~_8n9lEs2g2v%mS<#?zRa3{C46EJc5}%RH!nw)nGV3qTj;8cx?_z|93M|EtSO}?r z1^36T9Ji&T6>~R~(%UH<7#zHPBk(YAdM^iXk3c~S4ER+mQxix$_peNc$^_Y$DbH$5 zl%ggjw)9W#=M?3Y<=(9-zd0>t5%c-gk&RbvXKAa3;%2>c-h^1)?;(u95R2b4oxqxs znm+T;S+)KmH(DJY9PAh&kyhWIa7t^vq99*34Cs!fw(vJP-|EZ$SWv)YhkPDE)x~}z zD1Ps*FeXCN0>GkMth43Kr)xw?JQei2{N7q+*$xOXq>zOu4ko1Hxd(fq*u$Krp!`(Idmmy{bBl{7pi zA0<1?UeX8bzH!}FXe$qr24nI|LPwezqcu8f^bsM$w4%$La2jK6>Af<(krpTv_Sf8!=-w zahi&0s7~JoY5bc>W`Q1U4V&y6h6Wbl$(wWG%2E#R8EPp0XwLV3K&4{}a{hzcJ$Fa? z`t?faq(?)}rQ(4o@eVx$vs?$R%3lL%(@Y={UC5AC;!@(j`yGG0a)Zd_deR2HcG2vc z*!$A+t8K+e0|1NJmKhfKTRs2TnTwL<xHJ;L4R61|aKK8}YV*RtK>#@q4fY`dH9 zJ`4tH^AyH-`C0&NQ*zN=xrz~|{#vh!wUYLakzzq--J6-ErGk(B1n2-Fy0H8h`c0&D zwMaA3V|Dn+AFxdkD2r>#6`=vS`MI&LS}$@gV6se{kfEWW(kV~zr&Bo_Lne;Zi?RBGy4Fl(;|O7r5Z~*)}S!B zcl93hPf6$lPWawSx}Wc)mpEZL5-q;;7&YG;;z`OVq06aydY^{$T_^MJ!bG{7{mF;K zOFuF-m~90#_I?BZw)dk&tv;RK4Psuu)bqPIk>G7pY}Qw7JMx|_kaJq8@(%7(MiKu) z_20qhu2zh#AT@va4hm}JtgeyBqavGc|G>vQ@&=DkuV2pafRY*>M$`_u2#$ov9Z*F_ zMoh9~YLtDTNwoODaLjJmM_Y#y z8UD4gVV5zv>bL@eH-=e&3{wi2CPlTbl3Zl|?)23D@EvEy@)bS7Prm+D?ZguiXw{_| zYJZDy@saR?m2!ZFkr7~0TE+77CM^Vr1}*#xgfNElQmv(f)H;UG z5a1esGN8k0CP?fV;sXAs0fpOfG599_I7FInmV$Z`v z&~cJxRbh3wC@EQJ#_dVZ;nw`epvFLbpD)>Iow00c*5BTK7kn6Z>e%(}UJ#tyq|$V9 z$(baza(e}KIWx!RWkrQWV*|jp)w0|252Ru$>_)^EcN0MM(3nj-!;gD*i;0N|+gt2q z1rFl&jYyC=k@u_5Yo7GkvEHT1KqRG5TuQseJ=uN8a}|0P2VEU;ilG&PRa-m(02c&g z_lQyHhm$uU*?lNkDF#53nE9n%q}RAsloXl(cHJ~^@ow)iNPWi*Ka_p105yC(2Ihe;?bLpv-`y>6J$o%(Wqvqz*Fe?U+WJW*x5-BRMV0GtRj)I; z$fU|V(0Ba`RKsI~i?`MgsI7bl&iD&-R4sDE2zVP0fwvJN${Seus%a(Lv#C!JWU0yE zW&ZG;eeq2d+@DD6AFWf!nZ%ikS1kdbE(5W$)#@elc$)!O zM+|dFL4TI{gA)>Z{-)eA&vh}M6XZhA1Gk^O38d1eMHN%KMAXT^;lhxD9U{CnKo}AP8OvypAN1B<%q`;mS;`VOi zL+?^-^x5U+W#`a6AGGtDa%VusQp((KXLgh{S~`p@@}Gx*0A_=OzEUH>$^P~&$5_uO(WLEJfNyimV# zv{GM*?c9Zr?~M8Awa5;v(8X!reyY2vdhv6K>#+^HxI^O}byfE($~2QjyTXP^pA$n# z^W~gYhRGE*(+zE}gNgFKjQ}H%_IL=ES^Y~1wY%c=rYV{3cyLt-7OHVz&d2_2NiCYa zCEL$0X9OsxdcT9jyu!nh0js?p88qE9rAQjynUjqw^6>gTTz{&(HdPgDcAyj|Y&- z)kV(cM+=q4kC*z4!e?K*?5FZKGRY7f4S` z{6=`RX>hw3L=Ge^U#z*El7*wa48BqB3D@}M1OwRv*-V4jp>dJG4Y{b>vWY7X00TVl?+N}DAojxWWF4+aWJ3W3&}Mhcsq9~EWS ztQm;nETx@qhpMMZ3AsGixiFNeY%4Sx;2fDb+=)ygK+xW_|2sr+t3uv%_Uyh|M14kr z*uYw8uw5ZRnmK5io$WpfJtaWoc;@9j�ndLvPsaoz4HQ&c2384$|wDNs){6)UlXN z^fl!a+Nb)iKkX5sKQKm)bP3M{lLrhfN42lnk+eLiFR3X_(HO%6k)ex9(hk8k7 zxJCuCDf!1NJ21#(j6i#Nw{_(uQi#;YUYT|2rWDaD)+P1t^9=VDV}%Qug$iPt`GaP^ z+B;UMKr#(qI@`KEK?LqQh;;BYj7!U%WER`-M^+5vdqutOtG_DLIa9BSDE zGi-8SJx`N!M69n`#_jao*h2G(<26!`=Aa~ZFsj7-+(vK z?vry{o`7VRyIih*pdcv2q-bd7)trH2!*|Xz2tzY^4%~fZH&XyO*q4wK~s6 zJKG|i*iJn*hey;dDB^M_@4}4k0#x4I>4)Nba3P`$!w*uRNHEKb{md%E@BPC!3*wmlu>CN*!5wR&JE`Jcg6AhINk$JkBrk|Mexj)P1ZpHqGTf zR5KrKi8B2uVkf>h2O2ioveTDruqj7unIzuKY(-r%Bd#eKLDA0O7isEp6kX7KvKhqG zj&xSt#yelnYdSlaX1mJ1;fUO6I0<6)n)Yx~>6@wb;`6aXTdlrb9WF>RV^`-~*%GCJ zWP+NfL^*-UcHn*aovMx>GvPyrzHi87pIrK2Z}HLwLYcsYNIE}c5#0)%&o8_xqVYt= zX7wNC%ptzyB2^RnY9M%Jtc=n`aj%cMl>fk#-NR^yS;<9O#9SH6#g_s9#~8%)jLg<` zFBWzx-sT2Msp&$pPr9zdh0@*}WcAt=N${PW98{5PD54~04<9ddfel!v5`1S+<0!dU#am>g%ie`PJr| zR6))CS17C3w(};ZVjC(dTzg3y`TW)dWC5ZuncFC`RsAhTXC~IJs8OI~#y79Qcl}Lx z5Etdk`Js^^6-CA874?5rIj_=}RaYA|oF){BF3RcmO6=S@+WvxXWU#4w<9EtBi8pT5 z>9dh};G*7AOx2Wc*_x;gX`cV8Lt|{f{+OEQga`G?Kz4L_d4Bx8>9?FC=3W{8sZZnl zI;;9@)07zlW!j=|z}5qgD5c*B^@`|SZ;Phh^DHa%LCQ5 zsUCMlpZ{HS%`4E0-bu;H{I{y>h=t-Jf1|<%w5y$oGAvsiQC_68DcyJK^Z|L6znu|% zCcE)@$8o7*YrZNzf=^6(wl;I{R+~CftwL?jdbU~7bx@#P+`~vVoeL-!1Hr8^C@Qkg zaB0oP5R#34L4;h1*5Xtg)otGwb7pkykab<{bJET3s`-{IWDs?Dd=D|AOLKN`ac&ky zdSk=ht>_z4T(iM*L0~wmpvpEz`fN+!pxbCfPXrXUHcPL1oq0$nv|KC|=eO(AUFWkpoYcmhIj`U{QtF_DV50-kK?Xg#`sqvbMz@X@RW6tWQjOe(p5pEGn(bd`+udWp?G>?(T9!JIJ)tT)bx`pm=di(mp$w?N!O}~e^@Ah=+HQo_r z-U!&W5dAqiX)sxiE?O3A$E6p-wJ#usj)`K+<(iudMC=F<4MYE zXW!DLY5b0^1TJK0=c~@o)zRXQ$5VRsrtlfP4Fk9G#3%WdObwinc^5Gcy6b#)7Jsou z4ewX4gxM_?w~$m+=E&6U6ke?u(RnUc=-hDnK|HEeH zSa`vEJQdRQ#!(`2q*pfJzRWJx8wj_)Dq%C%Ej$2!vVXSNa6JoZ@QnYK*4X4T711Q> z-OuE6UY(6}lQ0Hcdj7NVZ{?cK6!&Tr&%^_RStCa>WC35fh+6U zq$Sd~w{B2wT=c6H$d=&2v>J1)<+H9=QNSw#FNVCV zLTYN%=>Ecv_4yvOhwz4FFFdRVWvSkD8`@wiq8iJSqZMRX^{ z!asFquai%$;EYyb&uHL`L`2~-BB!cH2jBZw)j@Y*?S?(&&`{aB*JMGu)Cq8$Sa%qz zbT0-qy#US28@?Ou>^bY4-vW+TV8d0{hKAT~w1Jux~m#|!qzI5TJtRr_r*67EiQgy>w)reUf>9u{b>CO-bJ$y6Z29g zM5wSzL$dwu3?iGBE|$Yx7v5M%WG#P);ETh&-Q_v%f`4Q-C!n0OSk_0?b&ta9E~o($ ztH|k2+sJ#34ofy;U*q76xmH_u)Rxz4a)cHNLA$*}mq>yl%y`p)MeE*K*f&t9jP$Re z5*dn^kvs|C9$(-nJqev!NUe49k}{7urnhAd*ynNM|yNwR|%Uxs}vn|!_;Eg2g;*AY+K>M1J?tY73{PkSmkeOpgc z@&g*6FmG-kPjHTYCTC|0!*HQX&s$#|6SQOFuffdpG#oDaE+qMuEPj1$r_!D{dKrv? z6o+3diNS?Z=Tj?2fI^D^2RCdrh_fY(#H}seV9w~xd|OmWs#@~+r$VLNyjXPZfL&2T z`qWS%`V&k)OR77kYbn(a?*I0)Ku7(jozp%8Qa9lot{2^jd{rCHP9Tpl0KG`udDq$1 zbI**=LUfnRftu24=n8a0(aa@aD>F$5lAW9JEce7M-!{e9bLk-HSH`pBHD%Nt+IvH3 zgMZ$oID1r=FjQ*YotaT4KWMgeZ`wV=qpG^5IoVkEFcm?tXu`(mW>h7*@%R4%NH|Vp z*)y(eNLZn$k$6aobDC%B|b!74K{zy(OQYn?bdAgJlEeo$Ii{g+LS4iUr!{ zY>xm z^|Cf;C}g76c<{AmHgd~hbE43x(eBOFHk5BA|&wU1=vutta+`LuvD>s8~ z0Kj41qB|sp8OYdsfoOt6(ca+qtEu0ju8PFnGRN-$oq_n!3n@>L|Kf%0S-)LQH0VM|&geIdz3612Og_hjp3<3fo z5|o@XNX|KnNX|JoIp>_@-R<+7d(XM=y?2cF-#5N-eu>aswX16Hwbzz)ZH9kZ?i}5 zRnk-Na-AM8PPOFi%$oB(;;E;|U?AnN+_=j2_-=2n7;(8NKEhT0o&NS03U2Y0?il)w z0fkKIxrU8RwoA=6mDTo&@2lT)D$ilv(Gg=;@_h?=viu)sFVw^rj5CK-vyJ(*{sr0*Lza?1`{54!{WKW@!4FN-J?d--U;Q>w^5Ci~T0@2;uLrvAnGpa^y zx6j?T4IY4L1%Zupy|5?iBf8h+Gynzok3Ukf_lRcS?5P)rhvBSIi0qv#-u`h9^e4Y3 z2ZHftF5G2Nk-zPJ3L2_`< zz_dD2&>KtT3fvJ!4Fd}gdXHbSL`9omnnDIOT3yJ_gNGi_E`uB?qP6Bb{VTS}?b%hShMgvILw4Pv-vThut@8l+b z>}88_0*$xVfI@Sx`LXk~C`wjalRhuM*U;sF4SH|m^)*%MYnWhlYlwX8EoDU0`gKuti(vy$I(613 zF~x1=Zj>Thpvy>6i=xnjRXX@x!$&9sSSVSiEePD;%#?w8c2%BwD&}7BsSHB!soocP z5;Sl>`z8MO++IU>hRZ~1MAA$UO8!y;3IRkY*I1WVtAPb77rYz|92p#cKf7c_m|?kwI!N`Bt+C0lN?rNtDfaCc}@C1#8)T z1kps;S=lnxs7$MJV8*jOP{9{|%n4R6TODYeT-ZMaJ}(q|Lscyqmz^0GHC^U`$8e{y zQUJP5gpY$>-z%`32_OR4@%G2ZlUMA23y{`(eVG3q4y*yJ=M`o#0WclD{R3-`{b#Hh zJdh9quOU}MJm6vnNHvw#JY@&@1_9$-@e ziBDHt1pq&-ahByV!GqPTXj-3*ob^Vk{-*#h48j0lK1mQ)smU1b$Gt%u;c=V$(}728 zumg|T%uG2V_fy(L4genpLfRlwW@q)Vf|dZ%!eu~N5!JL#UEsb}fC6iP(f!9ofH^Ih zCZAXV#BPg}?WN%CR3zZx{)z`P(;L|sosB-5p+U)-TevMq1!iV5HQdFjo9w@BGS^c* zazrROro^!kI!FsX7M!Bk%4|y&1ThZ*%ETe|bwr|n6WMg}e!USYbhl&1t2DY49}+lV z2xusKe|5O`dO?SKHaa|C46LrTkukN*0wod~ar@JnnwA8l>`%s2q7&mb;?NoeX9TU2J$<#KLZL&4DDKzXUIKL7>>rv z$7i(u?H7V8H1Zs%43B(y9?_FMgBJlzkoHkfMg;g2kappXS6Qd!sWosCS!8^j1Eso*$ zNb`{fHz@4Mvrydz^8ny8gW8bK*$*5|vML)=_+0GmgN_Pw@BhaD_fSp4>R#yBuwf=`!W!c+aV6AcOuKn-pip=#c$KP^9_qK-bE81oA;+raV`2~@u3+xL)m(@T!kdi(`Fd+9_*@U}e zev%lwsCI-yq z_6gm@H(oA1wn!y_yu{tbqI=a>tMUni9MX_87n#_yO27+Hyi>JsApI^%+hMSRSkvip z+i`hv({d2ERKMkJ4F5T?g{C9gN_K(I->MnZAwV7t34}fMxNQfx(}0HkZR}7);I~-U!Gx^QBn#uDlA;DCn;&FTtif^wxR4gZK zP#Z(TwzzPzZb@-p8~qOjmMHuj9B{Z+`p>o-ESwZ8STgldpzN+Py`bmG*)G*!MMMt# zM?e<+&hUs;qLb~$CO{T7aunf@kSn?$tZ3o;_k%!}h#eJ>0$D-JA;x-5h^_#BB6X<+ z6Mx!*vq`AR6(X%QFQc0&<17oH@~DQGKTW7NAPztAkAMRDBb%4|$?RNB+Nkz!WRfns zVOy}Z6_bnm$rg{zyjYY;+xpg8c$BX5t0{3LedbdM2uz)6(sO`5D(#ivI3auSw4ryT zKHg#D4FDMYYq^Q*f1ftqC{q5OF`TqkdD^hDn@~A7Tp|A#mkw}>4%P;_QSsIk^tP&4 zjY{$3%nHE}XRe$Vm|%=ifq-fx^hRshjy;L>O3B#spxBjg6S?xz0lM*(QisKaaU!j`TM`#Q!gOXh(jE=pA=A-=e)Ey?XkAPHOd|1Fk` zN13psRN&jL+?}=Ash;br_N>5aycn4Qy;ycw-Orxa$X4hruV@g)4PW%z0c~apwz)!M zfO(_H3XDg2+j{ZW=Neo0DT~UE2HVL|_0rkO9m$)eunCjGCxIN9jm$~hhZ8+{5OYBE zlmz=Ctw5a}?rnhKjhi2S1tvaKY`Hsv`rH$abM^1C5*+Z3gG6`4+HIxfny z(UZq%!Nz^(qJo!pUaqR6$W3J&IU0^(J0hgd)&l{Tyf2S4y zh>@@jTVZuNd;p@&uIcKDLKoxQJ}%@eH3hTudl17lARl<6fv(SM@esCcZk(P3J_!<* zXjORJI7pQ6J^@Y|Xy-{%fm!tq#pf)x17`#v7&3%j*vWYJX{**nICc{$xK-N7fpKWA2%fjr)55HMpYC@9o7i~o%8KmGQa z)P&uc2UIjISg$XRD^IjR{B%2;M^9}K_=McJg_F&|Tp8o4L&`qiVF0n}NdR-APu}*% z=aoElju#t6$WQmSAGf9PH76c@_#}qA?M^e+07*;4luP70B{y2J9cT zLw`|uWx*%zzDACz9hjZPpc5z~d4ND3$?>#V4tc}>$rkNnQ^%7(+%<5972_?hTPV)~ zwf&dV-a6>)5&^oRvfTO1QqTjY0b>bx z%ySR?7MzqU#5ywy{8j_})M__(0tL-8v}> zh7+<(RERPJJc}ie*nK5e-~|MHL5#nZ13gye8Z`gujPsYe@qg5K{iTu76-@y2e;}G9 zS~`D)kO?LxB@p%Imph(g@RV`_a;e1~48;&n;2VwQPKd8SLHTzM z9MgFm$-CX}_iFENd&mD?#q;fNuNH8ZAEGQ{#1Dj~k%Hjxm+MAS1K_y>+Tl?27Yd|i zo*MoFP~C6cz5{mZ+a$_hCH>{70sck32kyaLH6=0dBVc#ZDvG(&l1RAOj^mQbquz*>r|T zx~?#o)F}U+)c;<`|BtZ{sN8XI7Acl~Wj-AooZbq*)&fceuK!)*^m(<<^-~O*k_#ZP}OA-(BfPcg@?TT?eg>Ny% z74IKrzW?_e=r014|i*?_ZYw}KwKnP2b6R1Ajh$$ zbiV+G-@xw#YWTtdxvBpnV>S26$)Ox91Z*Dx@enfF>&r29dzAunU;(*er|CJep*%R- zQ2Y^v}tLA>O!Jum+h_b=7 z`ZK^)3RpP{j@0H20b0CbX5Fum9yVVjSiOMMz6`w|QUz(Yv|gaRA%QASWqYorYD87d zM8v(Re@&V#(LUEB1%#H)&LA;20Gfm^^T|U-;Jd7UsVG-YGVX$HQ5tNEh5MP6Akohf zPC=>>W9XlafNW9)B;aZ|+zB8dB>Y=LDH>e^hD-{EtR)`n0pyUyAJ&nA%!h=fK$!Xy zxOk9-d1c0dG(7r42l5Xj#@#yL8}8s6M{UuR;3Dx+&UKJ7N&NOLkd6P{!&!ffbQ=oo z`}39DZs692X9T_yE)mrLirY7+HrmLqyou%ksv%Jz4JVs#&M*UK;q}@<>NHF3dLM!9 zJ{9EiUskFHnSso-SXdQ#De4CAaY1eV6)Cf_QClYhNk8>p>dE@hm1uApV1x`C77zao z9{!s@@-0NuD+N_u_UnriWEr`A1~8Zs(_<-Myb=jqW!?Y={|PTL3%>QoNfj9=+iBh^ z4oQfcSHzg}+9`rocBcZZt)hf$EsG`axDmXR0e-X`%zu2tJ^@2{j?6o9l|V0Q<~3mW ztFygF!d{y?M3uyiS9hg1CP6|r2MN^;AbVS$U)HHnFqRnKYHBj$;Al!WdR!k)r(K!? z;!b#o;DzvLp8Alxm<}>wrvVJ9FK4%g05;w(mn^tX)?-mI0d+aqikZW89-S=G_o=)2 zEn@<8`xS<)2mi^by$OG9tTM^Gu?0GqCUGC8dC|#MyY+-`t0=*|xRqhz2|je>z?nw0 zH;!8uSPd~+HC|g@utA*{e+9iTyr>O`3sm8m0zPs7Iy>>c=jDYbIL^urPpwZxir@;q z4dy?9PuLCVPv|&QuagF;ghcKL>%$`s) z4;S}eY{1w$;&e7HrZ@oyi3$CaB2XJ^co@)u*pj06FXSaCfNi7O>t83Yx%dy(77uM4&R`h&>|n1zuR_s zl$ZdXU{b4Dh}&fH27q3%{?yk$ulfZ*4rYJCZJiDsQ^+i|Pov1j|A(Zr)yU&rt-hpt z#&Xi{vro7Rse{FB2{aoynXb>Ptr`9&#FOz0%1d|C4Anv%pnHFspucs?LOdDUE9bM+ zde}+N>kV>$@sQcnK!MLw{EjXlH>*FNjk->E1- zG_w0u@ToILjM39EfPAlehuvaCgs8C}s+T>Yo0+5(s?In9a3I`w zs39$S1i(PNPsJZxG~Ge>;Q@BP{U2@{1VzNpawD%4i8g@+k&PP3$;vj80)a|`{gs*m z!X7L8$2JiOBLN&Q<__?!`~Wnfb_{?t{r2B)`ryZj1y#uwEtiqOz~so#NraNAA3TZDTc?9t4ouihvnrV1=(`bP3({GVwA&@RzmW4>Iq2%4_Pp_Y_yLFZiNSxpp5M_${&lJh67i z)&N+7`=wstJjaY5QK0odI!ij>p7bH98~7c|Y0q|mXn#b2ynR_9*d;FR?7Z|E%Ev#n z2NFjVfNlN`6g~yvZwUm1Z()8rACRrK7)KmBIGqJ(zV$p02EzP(aN)mfr)TQvfHuaU z0g8};-eSK4v#_9=aLM)i5>w&Q^U%apgQlma=iAw&z6DYZMkdIAUYbo5^_L~U@fKjxRS6NZfaY^O27CzFM8DJYy)R*6BdeiKK-c^($ zqBNjB?D#ZSusg2uvGtXG@5xa_5BHo*#UpMm>+bmyw{x2q0mlNQk+zA|u4JKU1Ul}6 z$BS(tVMs^!?LD$XEK+&RNH~NGGVN8#(_M0XJ(42vOFJz z)te^gAmBBzhqToUu?_8ejktHPb~eq00wb92YRdjGx}KFVz1(g&Ui2#Q;*{eBVC^RG zN>JHZ+sx-^ zaj>-woOa*6E&;~gIW@<&Ko+^2>ratmq39b#&fRGR$i9NtM;xo=VNeLPV#1g?w{GFE zZ+UdevT{_pO6WX&F~Nn(ZSO1p#ibAg5Z;8FfK^?VQ12^2Y%h-Xv_;z~z#H1Lx!XG& zdb5}$*Fmlr76N19gzuD|CLSz{;7U;pUhu$rwa&MF8f`0r$T&0_oPT9Q&u2_Hme@V7 zFP}}}h!p>bWwkFkOihVbfm|3v$q=N*)%*?!eAk7Yxl1n49#4Cl3`;j-W zT^WQW(=6ooIPL3ng_}--{BQ1kDgj)qPu^fFsF%=nB&LrvJb9{Fmiw-Q?McTsl7KSF zcId=`P-C@YFps12oa^lA&MCLM%We#ht?_y9es$wzcQ=R4*0>3Fp*A(UH#{zj+U}@WguC2EG(?JL}i?+H0|^#Vw)}9D;rLY^(%-&GMQv_V#GA z;C155uyn)Awsgs_wn`5-wx>KpU$(j{Xw1%ONoi{+WY7vCCYo)o&M^HEKaY+p$s5DG z(Xb@f2Q!|i77SUI=(rd~6MS?&Ok|W3m>4M_G}u2Cs>n4tf5c-mzRof0tUH=Nm%Je0 zYFF+QZ!*_n6#HAn}Bi^dH*O~GB(fM30gAz_~;)y zV_8v6o#RX{9Sl)x~Z%HSnv+(A-y$%0VB_*rh4us78!#d2B0j*KNB??wdNXStr|X z+H}YVl`0J$R88GtF&9>^)1!z75w}jty3wE##*dF5 zouyeQQC>OEXQ<}OzP)TE8Y~Kb{bXY=Izrb<>PI+tUT%Z*ZNH!g`CLl#F&D=hk_nUL zM~kUq)rAQDqMHv|2AHa-WtY{!{MGa3ddwr3^ocOaz*FI7GVR%YHF7iZW0p;P*8e{V#`m{!41v6v>@s6Ag%AHY%Tf#S!B`OA|kdMsX)!E`>zS^@ER6O-M zgrg!B6!DFEUs=?u)L`})y`DD$OtlWXDqXjG+0^=b)AA!E*9NP7)?EGb6SmYOvV9nd zzWU+FSI#*ED&@U}!sKa)42V+Ps!MDn4CRFIlFmknCXR-T{e6eb`3}0B#$t1HS7UM{ z;=RBux&X5%t&e}!G#&A!5s8K2WAns<&{pb8k_0K66(~cujvhbG@Ry49@$)l@>1rG|P*V)@L>u zU3sZc9=_J_*R(Qu62Yw8FW*IQo?4FGP`uzJ`l(H){&MQn-SNEd>P*qhcEr>lQO2Q3 zTC`(ei+=|*RM;HzE&NxcC;u?Cne2WV9=*k<2n37HJPo7HZ-aBUt--3t__EDpc`a0) zFQipGVv4ml#?5_Xxq0tB;uJm4-NyzFN_6^ zew4g7kwZ=;Ps^wg&2kK`lCSW_($X&Mnt${iO?(7mCXNMMuujR1Od-d$>2>wFOgb zgi}`io+vkq5+KfZt|E@lr}Ai;eU{d>cm0uFN{!In=iI!A-wQR1t!>&3l^WyKryl9? zpC50@Pk18qTzMNcqv*FXP@_M$9n}}MoCbvD*~i9l<*vH3rbc@Uy{nFRfkvN~JO04v z^G<|r!M6~hbD4-{A><092P@2dWnYCB4OSN6=B#dgF?r8L)>dCj7{rVfN*r#ep8Iqtr*fi!l&qa(;>D{ayc7}DT4PM7I zUjO$0LdG{MCtUFRg8Y0hEyiX!LRGRf({XC#W^a)$hSNC~0g(<*yECefOT{B@A+s@< z?W5gb!g@>`4>4(<&ih!>Pf`}}FDvRxG~y%SdkP1&$hhlKvVmd@bN?_G4Ss{C5M474 z^@_aT${RuoiW}-TFuJvp7mDI_*u8r0n?id$U0$yECQ~c=d|e;8=^3$^2%e2t@al29 zn{A*^V?oWCeh@hn#8*EG-jt`ja!3s}pD2+^g1KZeds8zxZkiecLlluDd?6-Nb|?IWs_Rt< zO@qUXi`Sy_-M`mT`aD=jQa39Mkn30eW;j_q0!i<^ZM&<+mMiBxPW=tj&!E}lm5-v} zv9k@@nlGOQkwY>tQv2>@-okz&DckIPwDufy?QeMHY;m&Gxmf)DLmqt{$sJRR?0M>8 zCQp6UAGI}6Iu(+FGyeE^J#WGxwxLNp&7aEDq}Fk8U5y;8E1x7zvN3C2+vZqVHHSs5 z1@rmm4{2PkCu=L;6|FcG$j_UN4BOB zG|fypYf5_~;0eUOQStmRuk?V?Gf6FOz1EKtFG{Q0rlXbgS}vGUAZJw1G}k1#PKNe2 z!6!MC0it*l_dc;O+^P9=is#Mid49#BkMXdZv#W(U4JcsZC}=S8@B3r~kHM!Yz20N> zt{s1VSxqh6yzZy+Z8azZ(S1(?tGByz;CYE5R_tC(5|0;5 zh6%}#+_eljeHl--PL)J`8{BzOu&QF#Xrs?h6ye5+`h($k%*`eRi`^_T;BW*>hkp*| z0S-40i+%r80ZuphNvxb@#iw`pU|7h zaIuYyt>40pBOfOrKXjY^HWrjVMCpq>JageY`Z@<%7WzFjSSaa7zym;e68Z{^jSMwP zG(;XwH=t)+!AulS=}i3bI^u6l$?Jn@9 z8Ai+$hjwI(+#LMy*cl)qsIBIIE|}&vRxjSGr`8|`c|xgGsU67OY{F}oB;=4SVi$Yb z?QyZfvFqysHXf$zFUu|J8_KyV6;!h&M!8q}Z4P{t!GQ#=fzkumz2KE3{MHJQg=%EM z2I}GjcnqpL8a#*H{5kXxo#Wcw203q?R!>p}$fD;Lnwi&Fy^@5`B{(m_AK?*Fi8?xXYnX zB5KXE_=V$%bR>)S;V`w*Zq+8`+!m9d(LtQT%0}++akgSsy3EAq+lQ@+23?oCgrBTA z5ZY%earPwx1Y!Yper~gM&Kc9?M#`!cH|JUAvsa}P`9)f~&dbCKYg?tt>SwR47k&nW zc3y9E8Epu>HZI%#b+_{4(IXC{V6gA3oIPzBB8u;L_E~>JBo7V7Fw<{vQ2kQC$C%sK zq+iBl`coO=%BGc|BdpC(A9M6e&WKr8iip4WjLN$Gh8BH`j(bP1t?MG)!C@q;1OFgt zwas$)NN!}VDOhQA#7xTA*;3rzhb4m?S3!-UEb z{TSjdqjXG4c&EWuUg~t2X`PavEdDLGOHva;Wichr*0AQ8BOCN^=3OO@;vjJPi28iG z!zUa}!Dl>&ZHI5xJh7EXH+Y!6lVf6u3QKN4mDX%9Pg&|(#YYEOY-G*xL)5O=z4c7Q zbc1{C)ydSZLT2~KH$F$pTC1-M=Bjv^f!2oNlbd$5)R4nO=S;vh9k`F*kfDu#BSeko40c? zLpQo|d()45hCyvnHD@@(v}dW|`qJnGW}Bg2O6Nd1$9RmcQ4zXXSV*72#+p5vw>?oR zF`9p);-@iGvNC*`9zd99Bb{TDxHF9*&=sGSq8*9i>5Mq#BHR*haK4}ZuRH&_KU z)qNB4^cW$T`9LcXye54-an|dK`UBH!o9+wMViinWFit=`4h<*EEYX}#GI zUh~8HJLtG;=E%MJvUUCnKV^@T#mj3Z7%PU}MXdNa~GTQGU z=;@_B9sb4&WAs~WihW$$laTUr)J28K*b8>Gpfl~yMLYq=|XbGPC06{TBMkk-5FPqCc)_8s3|<`Nan z;^dW!-8uzzk*fA$pJ474xmC?bu;E6%M}3VcZHP|GXDZFcs}flqPs7yigv;uL(+twP z(!N;BN^!-Bs{Wq8&n1dfRQ>f^Bs#*gt#TPyVtH&=`YRtLMf)`#?idGiitg>4uFWc| zcd&!1qa=M{X1rosb$vLa)-X(S6-t3Bje%!ecbNDvce1>Y@RLDZDc&?i;u_6(a(Jhg zH%ElT+>j#{wBZhymlI+9`v+X;)TlOrAMK{uRb~yzTK&@CkF3b7yh~Mj9(uE%9eFcC zlE{a3EiH$iA!yGItj5AYlk@OQXU^qP zyTpEzUE#7uf-EsA9Mt%WJYaTpT$to8n_u(3>8AvB_AE4IxAKA2F9 z*3Hc%om{NqyVN0w%==Vz+%qIS&A-T&O`m_txDSN-C2>=S>$AXwEU`*G(qrYIODgxc z;^fXNw#Rf`s{Hk{q(XXZ4db2;B0|B-Bw<-Hit?p8?n3>mXJd1rDJ|kTnkyl^b9G*$ zw?&RpW$|LYP*CkE>0KvZJB{~8Wk9zzn9QCPfLGgzSiXnbCNC(^f%MJDkN3RFseN7NqIK|xBC zitx$%=URG0QWG|ms^YfBo_SnmOU0Qk0AyyNz@-q(V;@`?V%L$GQ=sWLk1Is{ta)n` zbf_`kFQiro7`@m}C2&Jt-ZQb^nElS;k>qjZMex|TcDwUSARHU|MMyMh_MKmGo?5kE z&VU8gYhtrWvk#ihm;+}gWp8pUigwm-c{%(n5#A`W+7)ajs=^&VQ#qM5vr__9RvOC} z-rJGQllE3`<*(q`dg?~D>bt&_^wS@F57U)Ha9dc4dA7I7m_7$tOq3>h%b4U5 z-e`g8hFJwG+sR|6l~t-W_S@!jr^NAv4F}%CxtbC){>oSjmxYZEO!}3B8sy*6-ZcL1 z>#W^%*NgJ8_sNX@QL3B&TO*QPmk|_PwO4yBAqTnTF^sg$WpGMCH_;&3l-Dr6&)&ZH zk>aS8?t8@X(G^sJ24(zb!r0|3!q|2!^;HGEI14K9Se%!vy+x>V%Ql9+9QBFc=p5&= zKXZC+t?|An^>F^NX*i;Q5>6}$FSs<0xE8@0TJyQv_*m0pHuX1!j!i(D7P!N4_>cPx(;U>ooI8`{(%OdC z^E|%Txn@@}0;75D_zg%ecL<;R;N@@D?eBXFckNv;uFn-VV-ya_jh<`OR=7d{B> zVchDwh0*$1n}$QkjWmi$Z`<0@%yfn*UeBM(=FAa&^XM}>iL-6s7mCxGFAsPogR>^l z&|o=1Ri2)Vkn5Oqb1bwh*xKS7IJ7d8p|EPfX5^VJvq3WZj23K(fS*w6!RaJw*N>N- z`tw?i9zL8_`^hekHt!aDy!C%a5T8;Yay?t3#$__8MGMD(s=a7_qD3vx9N=;nhmvL} z(>e3=%tYUCHN@Swjwh2S-qZBUm5e+n8yI=_ylP~d z*HZ}OylvN**`;P`$^~#re~;D_G}H%<+ev@CR|Mags8x+*iG{7Ug(CpETe`T?3h7$# z)*i|998FBW0lcCpSC;k z|{Iww#)Je3dmW-i}%OPATTcM-D*S={y!6VcD+3RA1sPA?&l*IeL_pghW zneX+~HH?|aW*eqaa80l4L46FJTT;<%k6G2L;Kh^fmKvajwcz(4ErVZBzo|yW>J2A9 zKu}~Nj*0^4n*y|G|1o3i`D z<1Mo?cxLltomjKUpk$93R`2km(+~CFzUT#%A%42>$ULQqHe)K5Uy8PO;Cg+h>li05 zY`pAnB8w`U^BSFmC(mlgY}&4dBtElTYEDFbZzj8Csbgr^5B(MF!#lN zeursVNSq+p?CkCdNp{c7O8OM`v`smWN0YyY-(QfwiGKBnIuvna--R|%b-CN9?7kP; zf8eFEp&mv*S@M2gf${C*#)JLrxm{sz!uyvseBSo*mw3KO@U_}&+cXRN<;%ESd%Kkr07bh`2eV(dP7KPx7) z(2x}}5G;%$Q+YpWs@Zc}kw!!L{_ z<=~Ok7fdncJQri$W2eqPi%-bRlJOZJ#C~=+Z{eAN4C@?k;dIw{{x)J&TLuHZ9=)3$fgzu6~Noy>o-Lv{0N z6r7ixdhYPud&my5!}umV_(Fgx2_S2x9kg8MzCdQ2o-v)m?o29{^GHF*3++dej_ zLFJWhrR2ptJ#R%A-|qW7DA@t=gB2H*1fgMv%_~bm*}w#zjNljDJxoOl`mBYxDadGu z7YQ-csnzyIyYC@6?|{{NVgI3gUsl>Kl0ip{o{@PWp675FQ&#e)4bD(uW-kWz*`#YKYre2`rNv)5LKiQdg698Bok*l6FQU5UJAsWvE#^nQ7u7iZ{l`w%I3dnqy39 zcjk1lpq_M$aj(Hvc_E42+g+yzF9>4n?}_uot$v_JbNuGDTA<(hu_UURiZ%ZeH&?pJ z=N@=0@UV9#6g+lop^F$jl0~0IW7dzsmAXXnqQW`|o`$o_f9ln{{e!SA;dhmZV!shV zbK=M@ReYggfbV*jvXBpz7`zMhRi(+0952t3oQ&7vnUqY|?qvDYu2Oa=_CW_mW|TTT zL-W9uxLGA{Ugyx9m6~LW8{sGN!u(!@d2W&zmDmq`OTqTKI8u%n!);F#{o} zH(%^Q@`AlNaM7Qt$fhEWLbDKGM#$S;Xx{*!>zkdrgA2d|hiJpEP8lI#o?k?EQplTQ z6m8!4Y-PzcVOD=bZLd05QkZZyl|U&Amwn>ZkJ;q<3g9xsci`{uXD#1*g2xIrq5&F; z#$!<#c;pFXm|wweQ7^;nu7D2vB*Qo^{eGEK6@ENJxp+m5jYH(?UMvEBhu6^dctVcl z^kXW}BDn>+Bu*Hjitx;10n)_Tk1AMG^Gl%nw1i)*MpNfxi3V$Cfl0TTk1XHYYFm(Yz9YT6}+E|x3~JMg$| zybYhlP!U0beAyx&yu-XX47@o!y-fo6Xxrc0c$trdyb(ba=AO zF{7tih*2@Rh;6t{P&C3$rA3VfFB#diG$4QT0RXD|$f46wCJeuSjs`RRVk=pnj<|JG>e*wCY0^ILo zK#YNKa=g9HNepa7{^jC$_imoyT|(9;B2)xHJX7RC;A$6PECwS4SiNdrLt0!IA!&RJ zs#@07O8E*C1$JGd`6cjq13t>2Kqh6Tjv`fEEVYq-(7o#%uDmlF=&+!w%SIUA5tQ6_ zJH(jWbR>^DN=IX`;9zYa4FEN|5qmht(`Ra@&6aL=*^rH~aIh=|&aY2}+6!iCIo^K0 zp{-Bcp{|@Al$;qaUSzL6KB>Lpc>a_T0|cSgXT~{%0J{7UrFCBsF7C*mB^UPuFM;<8 z#B+sW8yt$DPS~}J{c=QQIdqImu0=tsV9!AKsB<>^rK*et=7T>eJcg3Bbukr*SbU!#HQR{>Xt zOWwpkDAO{4yt6ATE=)?NXO?to69%dzrQxZ+!|3HY1$s2v?+aOCO~$L8QonC`U9~@e zzAL%E(5eIlaO;QXfm8tM6?(!L1(v6c2xVOhQGD~n$4h9nSy$&z?zT%}KKn^KXUjco zkM#km@gmD|ZDoE;Xs!J7nrCRM0H9oI^74_o1?%|MYB^AB*tQfowet;l(NCFl*zC6s zqN#ZHDa@oGWFqB*EQLVhvx|??3{3kr`2hJi@LzNf#D@l(seJBSEMWT1aDL#N=h%4j z+kbj^jY~pAg+-S|omJl!H2R(Et_fc__21&TxjKAeHkxO%)=%B6(FMBs_WT@1gXA^? zVx(^p`KzC5R+t~mdEQ`VZZ)dcLV=Y8>)g#=8f{~6Iz6N~a^IKQ$IijoejFo)%fgRh z_gY5IWVp!dbIXQm?M@I1wcm$zV1Q{syPDuwpb-*qLVJHy1h{@Gxd_f^F1Jvr-2t>= z4bNlQXEgvA;WhOnVF=Z&vD;vHX{r=e=iH|>YIsC${|LMjL!-=1a?e~GfElN|LXTgX zjzrYK5*Z2UzJztLGh2}Ics9RwPF3V44zZ&$?u%ta!*;Qa=j?Uvf3S^_&7R*N{9`l=d+hootuQSO1oGGTxO%9 zlNBZzokIqM>+K;o_G;BO5q4X{$`T{6uQX!ma=VENCGRj9-&3G?*E}BHXX^$8QSfrs ztb-WE4JV=1K3xXzs)ESrYTK>=Li!~>v-X6vExbJ5n?vhK zSn?y#55ZaRJ}+I4|KY3b>wbY7>fxRwKX#_Trkav-Q8JSMTLUu zAn->(m8h%ZqFWolSVbe_&C0p>kD%O6;Sw|d2urBC!cq~;rtGC-K!6Ecjr|(F4yBT!! z1fI(7GzIm~!cq~1Sn9etYRX2)VNRztF-R2+4I3(Oa|7vyq$#B9;hd>{zSJ?Th zaf3wj!83v1$d>ud1F;&=Y57VQFT4z539RT~se@LxK+Ql^B}L(-dflGw)OKH(-0?T? zc9*GBS^W3(7h2{s7lDTU?0LG*b(SAXBuR|+ImTcH+;0B#HD}>82BV;+UhpCt${JS@ zP)jLb)fJ1lQ;a^4<#W!TS5}0v0bgpz=h-NCqp>(AWloon3t1C)JI+~-jPCT4Cf36l zdCeD!s4H~la4xxA|J{`1yoaFXF}n7LcM?qW#0rJZukYx26B_mXoxfEnMG9T%34gMq zl4;Inx_8ia_547%i{zkRgmpWf$9Ab~jxXWU{?Dq{5W$NzTBeCdd}`bjhLvs^cIy}E zosK)zV()ggZ7t}+%eu9 z-NJ;`5HOLxP-ZfLre6UQ9~|*PsZd=tQ^rHFQ_DR<>eApG3yG}OKF`GX8Fd{dkQiBi zdD1aHKs&7T^aT>c$Wc1nIw_|*sy=(SatVSCY4)(L$Aob{_fe%?jD3vv0L#XTIL>nQ ztLyD2YCrYJ%m5O0AQ|VsZFhuyE%K~OyLds`Waz}2PnUs|P=|^ciOH(p0riesO~L3o zMQ^#OF4d^Xco{1FwA4tpZNf~Dp1ptV{Y=EiWJSK^Mjcv#qz$(6LcVJ@7OgT-Ub`*x z%D&TuShLRdrAoT-j?oQ+ToxB^etmJ5 zU2$({f^x9Cp{)Y%Hlt7F_mXD}Ezne~DT+7|`EL~M!;}86MjyzLc+*Zte~v9rmW+Mx z9L+ly*U;G9<+V4r(oA$~O=BDtyn<))54F*r{0bp|8o{ipunc^{Wb_zEZj-z^JIm88 z44%~favblAO*&ZVb5X*%iA4vI|5V-LaS~rWnC~k0-0_9g)JZOAa#1+A8+$zY;eB`h z6U8~LL=Z7tk~y7zw8n0Sp=dVdw#qP)gY+#!x4medHm^K2u{_;4@onJ{LA+txmrzq> z0TrEae{1lnkSc(j^d4_=OCFNkpPV_r$Xz}O!MBa2B4exDL#f{P+eCYP_`0jn7!=pz ziicG7!v@BFZ_!p=cV)s9GT6$g@-^x!G+^fRXIh}1l@>sd+}q?oT@Lm zzET2jVLxEe=e@TzCt+E;O+s;eDbt4)m8jNY_j^m7>byE;koXm1*8a4f%z-B&62ZyZ zhF2Ytn^?iNaj{Rf1FG>M$NUxaU0GFfhqr|%yPu26xQ?FsKYeiO4%iZ_3%<6?;1xD1 zVhevzxQ14~1yB_qw~%ert}%putwOS&Dn$s({p8`|IQCbnqRnLI&%F=fpQ4UX9IzXC z?LKxId+htsKx9d|7;a_#Kz4pM(jU~P&_{!zsN1f3uxZyEV~i{5Rzk1u-uosviffN5 zv-`t~`(rR!L80!L2B}k$miuwUZEnty#*~z+<1y$V{w1$KvEP^Rk0UuFK7)u~n-&9x zq;^C~%=ZIYNvXc!M z1LS4E(oH%-=J#`Gp+8alI=)oOB?!4xTSpFgU zP@qg7HQD36e%4&=Ht~8&jF1I7Zq#5k=W+aHm&%qFFH@x4{*b=w`6YO##A4hGz62ki z(14C*<4h?a-9BdxSw9!1CMq@-^sfkKR#g!XdXS^Fg_zx$@zjhQC+{(**1g06KCKNB z8>89z4u)oCFR@zWlYNprpX*i6@Axo6s3|u`t&)G`w7Q>4omys%nX_FQRP$e`p*y=@ zJ;+un_BM^HaG|l0Se!Cv$NYp|0*{rZ@wh(bHnEd7e0PjZD^bS;Psq5#Pk*$1W8QyU zMid{bbl?ei0XGk_#ze4sk1#U&-LZPx@1Ml?8A}bMiYbf1@n%zvm}?czSci2-@!;dE zU*x#G34asl&kx@=u&yr0Tz}D}nl8wA_tYD+*O7J8%%ls;%umGser}JDcI^qgiuhrF zVWr5k4cJ{lzVSYG1}?G$#~o+hz@@TCqHq@Z=>x*pHmLMwc*fDshg@3rE~!4+By7Dr zSw;14u&k>@z0K0Upen-ex>5=eJe->tJ~3R6W1mK1ZUxxV=rUHQlKxZqr$T4#)R3>i zJtlzR6!mZ;`&Gzvq-J<`A?o@(zGiym8k7r+A5X@Bpog zQSNvvzkm^73gKrW%`pTm@y7IwkfEPp8r*;@!Z)jyR_!uETH%@`Cv@FCkM+ISXnWHt z075b8xMt2Hs=FWsUzqScT!nC9tRHmufnAXN&1?x&cyLtekPKpca~3va8Nyb?72kCI zjqGt~mulY19_{B#_#LCq(uZVPi;uwTuPhhi%-eSnglBl}G1B9SaY*Nwtm8QAh-0QK=Rz~)Py-N-K+cHL4vbdkF*PVfd zZDMK6ak##z=K-nqQzVq?mBZ>?dZfx-pNg;(VeU9ofQvhPAfI;fSqumL(|5X?>9f}q z-9OH+Z0}^GoGMY-elAlhmPXaR$RxCrsWw=(2GA-Rbu{8)AZ zxmn6nRo3E9)&15?#2&@%=?_?{m0Foz0TI*Egp9$gPsTmAh{wkB8;okt#AF^S1qdR^*yn?9&hz#81tf>Ztwu8nC`eU{3>?NHN?=Cd~mElyAW#q zqZ~J+!h%*dZkib0-9trcq7Laf{s~ZzFd)8KUpSBX0Ln>1c>j;-cUZm8?#M1Jfd4ul zT}=hcaz2$JiDK3CD4xE9Hv47qW_X=Q?H#tJ(Yv15*2#bd?&M_ecApRbhrPFss_JVS zMHN9w0VxqFK|oSPWYZu5BBdZ8Z2+5)?k*KYLRuP0ky5%5k%o1(Be|@efaOj6sM7jOS zdBLL>qI0vC&NsI=C+HPY&&8RFC7L(Cu^WAWd|9Pj<=yp3Yw1;9{i*sjZ~HSUtEfQU zOuOlYvrFf&vO3MNdQT@T*i91OSSuH3IK@Bl>a2b0w%~+O~Dz92SGfXdATwK0O&C8Qp3*G`=;maELZNbEq_O%i2yHi8mo=i4V1fqi4 z(OWIOPcCV%f97yEzB*MVNOz-c&<<}f`NxZ$ysHE+^kPC;l)@wR*2ie$KZrcf3=M{C zk(+^^%S9hrmQ96smx9~H*>OPNPhu1`XmcMv2F3VYLrod7JsTsz$MgrC*7}o~)P!Uv zQOoq`B(R}I*6%MuNJUnpV)-)SWcc9^leYeBP^cr1wc;iJYJrP`UT*N@f@CWOFMaSp zMENH#<|vWJt~y?|GsnlI(COL-VnZt3GijLAaDFQ789t_j+OMDgr8n=+^KX=Yd@?s7 zT|vJ7pTA7$fNCt7C+yD<0HSd;{iq#KnG~|jeE3W=FO>$#N}4@nt;Pq18#nBLQ(yb$j12K(}Sl?5h5~4w<1@V|1A0D zITowZ<;d!jz<4{}z=tWWU2G_oV+u>G#&{-QayH8%Ad?;^pBo5x@Xu0W98B?0w}YKV zJk$GeUO;tw=YNwnMu?P8x41-1w}!W@(UHN4ApaOduo?pC!hL+tH#U*6cD6JhT)PA3 zBz0DhY2;-guR2DX&Xm<57mdxB@b)>@tLzyj0qa@Yf-jC=pMgzkC8KG`6vJ;3%%xQ< z=qKR5{9$?aRyXM6h!3qd@~K z><#I6gwn4U{$Ln2_#uNQnw7yRH~HaIdiRv0W&bU}{}crO!)luq;WJZYJY!yWGW|IC zGeQ(bOgwK2ftfD65g#yZ-lN@i?$ZfK-K$in9ej69CB3D5&3&AWOy(#@r?@`29v2}t zW?q0^pH62d0H9~{lHd3F^vhv$w*ma1l+OL`rg=(2T*GkQ} z?~@KbcnG}jQvhp1ZJ!Kq!B=hJVMnX^x}-$vUE-8_7oXsM+IYIZ>PTr}IMp{nh*>c` z{d7PvED;g`tfBKfmk`k5dpfW0uiC#VQkD(!Xl2OB-A@oz(o!6^IT#_hI?)*Hk)l_P zHh`q9qdbe@5()b?d&RE@2G6kmd^EzEm}wr^Lkj6PTCdC;PNrA*R68!XN%_wk8g#S- zpALYhMqm8v-tOwi#!CIRyWI^)Cx-RoVEw$H>j%I#-m`dtKSXYCBm5Af+93Hs*P}v zO?uwv^@RmLtK%+e*J==0&?+|1*S?$`c~vfAZ$-MVeJWICfrSXcn3PKZ`6C*uok%z? z2Cq#F2YafV9_6oiiz}Q7xK(q>2eV!4^d5&2_RIY_$%hDadxatXb!$n?c^Hq)bV_c{ zAX10a(pjXR*Ese0r6XVZswtL_1q|zSfRFbPXYkvnhOB^hcdmN!#a;E&yJX4q@RI=p z{cYT%iW%0N0oyYHPVn>pa2C{9U+i@qYfcUWtL1a$e-9iU1&tZ?$P<&VAwZJ@&|#O% z?IU2jxlYI4d-TbY@!I?9#Ob!kc8fCFu36vnbYX4>yP9fk)lS~;wZ63~!Tw$V1W|eR zVL%qX!IG3sB`u4b)3J!%d~H-D&;4l7lA_HTj^rMLG2$X!`I+||HaM8UvPU%{`S%?< znRSm7GXd+9h`?c{nka)1Ky@krWBQWP&TAO-9VTZY{7?tr{SO4Jj69c$m_gqEkEF2- z&uat2aNv2$DVT@+qP~4F%;SnYZwR@HkmGrH-c4<~69&%-k>{s^rGUgzE_=Pf!*r&~ z4P19PEL0gM6rl84u~cRy-mtu2S^wKTrJae=J9H}KxCCW$m$lx?%9`cxPi&|-;VYC= zVs}|JHyDUnPop{G$B6M2+aGtlXSmS5ma(b#$oARv#I!t}A{}|GA|2_w^*WoRtA7Vi z?j0qLZ~0T;u;Qd|>Tx-}_vJZ_7XBwn5dDlV6=RQjU9+Zb6i6_pvPm>iO%?hY`*8OH zK~0mDtcP~2KoZ$h2}&UJoD&KU^_-L}7GrV|lA{^CrjbPGsLRv+1n|cr7Qn6MMww?_7DDsmV3#(j|DhypKs4La?=+C0!#B`+LUaF6 zW(fn#fkl}Q+x*@$@)QoM9?oBZGD%P9OSLN_fzr-+5QI2N?!^y7}DwRR^x6*_SK2Z~z}^Y^F6Kd{sD zFV+9yass&U4$C=#9dF<+;efqq8}s>VfcJ~$4 zPEICDz1;tG;l*;?xew%Zy|0O*bdvDd-hBF$nB?incD7aEiS(nKHv?n-qz|!4Z*W|^ z@$T98tT(4A9*Sc#zlmZCN&XfxvDPItVyn)03-PGwx?{qO)bJsF%Hp@2~ z;kx5_3Y+1S*9FpkbiyoL>TLI7=&BrL3s1E?_d`*ChEu0;r*C>$<6^Y!#oT;PVIN)) zx7@$_S_HREEz_2$Y;+8kbk#&DFc#dzKCQw0! zK{37JYb<0@dYDS|$y0n7#&G9UP16Ge{&AmE-d*Q7bq)DG z+|$^slBfT_0`?kNtU}CfE5>%cFApFnxLWVynn=rH=J>6a`APjn`nt_~PzcOZcTiV= z%ko-J9`no7SN5AfBT9kp+Pifhqoh~ogypdeIa{aB)M(6euw1zNU0AU#;nS06zpe|^ z)=qnk-*QUftpCQ_@%;=P%V}Q9*>$gR&MgXWvKr&#Zg|##-Rjtkjm{n{42bS5Oi>gf zN zl|NMz)iRpC2FGjxhcMRIh@6->oF~@*f6nti74rS(2bRIWJKwmAg?oCBfU?r zWk3vc*Yd% zNv#w$o~2q|^iZWNqTASa;;h#nlJsAHC>&&qt9Ynfp(p?D$+O>e(}aJZdfbeiu0eDI zA&CJA23l`kp~emZU{R5H3@Dp{gDqNMhzh_EX{f0Y-iGTP3O!f;*X4Y4SWsuM@#7i& zQeQ65-d@i#6%J0O0hDijm5vXC_6aV}gb`-lsDOow8Qv1Ae0>W00txglk{Ng&l!iCD zFL%6@E2h6X>~Uo9{Sw0KDM4-+epFewfDOG%u*`^!Se;Zin;$hs7nzn1&Z%jX7!)HOudkmq?#Ws*=-dD%b$b3)SB+X#ZEXWkYz+58` zD(}x?xf=>ZjmZ1>e7XRGpl=w)-;ylg_EnvK5lE zoY7}szCf7Imiwaw%=Z}YN6d`AJ#W@%k`DX{{l-wW(?o+<@K&^V#h*bdH!q!oKSA8` zG6yD7!&@l4?oYZZMVa|=-8qE;k8&SMvOoIts=n_N89<`=A2y#se5NIxK$1AJHEQd8-MU)hYa?$I%t6r@Z%1a zU}h;?Jl4P&6M5amKZ?8f8}s;vf*=`?THRqC4`DzOX=XA^F9>jACZ- z_s^&{!?qp1r;g9I7kk2YR)~WmxT2AJ>^S%K_I8H6y|JQhJdco%y`@ogur0(SFwu+#QB*g{}Sho>mOZigBOLy zfm#QB6Cy6mtZ|MN1K+T}D*2udmGBvT@5q}_Rw3$s*sr{@Ko}z9oioq`eDBOZeDB`~ z{^{TS=^C3Q=UzrHe=XN`7&(#kIlJ9fPeB#~{cnVie}`_&>3K9fUX)1EOH&M#<>6+$ zM<-SI%Kn4x_-W!$PwMBcAA~{jC+A*}?F$iHxlVijFE`5x2)Zk`zz&7Y6}6gz?YyVM zud6-yBJI3g#-B6K+1BZtvzLl$1+H83R{@Dw558GrY#(_M(Y1b&8Vw|=wu;1*`5!md z9=W!^kls~93tBAOYqf5a9j}X6b-pyRnM95yFB*_Cb3|?qhTX;9qIs!VXim1dA0k&4 z=Gbm1Kl=%Lq-*bRlSd}iPyV7U)jUaQr!vYNub)ESm%TXcKh}_6? z-H4kKJicNl-Z?i)Wdi7~(ezrpk!3}cQ}NpfPfAu_AOkXB_Nw^o)Vbqn|2iOE(PJ|} z-M>Iz3bSJSwAFa~t5{$JpJ^X+CVsOQqIH`9O*|-PbqmORoDnju+7{W|%QJyb!Jd-K z*i8s><`fpSq}o!f6uwDI358>d+md|D|BUyg;zwEJ=x&CcO5&BIjr2BTLaChMQ+d~I zuw_=99h%XWK7#ztKyn95E|S~ON#vzFUYRT|Ch@IrN!2Aj6Ioq%_cvPix{zhW8M<(@ zzM7jr=9g3&U(60m6fD#v&Rbftve-T4`G7^}eUT&x8eGQHBKHdP*T0h#`Lp22o~of{ zUU}cAYH_g7Xu;U#1FN0#l4t&6SyLhZ;qAgJXKr_ zgRyS~H#WMF_U-DlZJV?u3#nlmm8xcqhGMfE#ZtBWc^avcDbxO&1HJ_y z`EhyRO-DDfM=d0=62TZx=le{kU9RecWo38%Yv`lMg{Pwt0ymAjur+v=ZdP&>&?Bhu z2{^grOklySvo%qa%M)4Mx#N$%mYVL3)DA=`7n!U_yt--9^+tJ?1+WaD`N8Bl?k{t- zxRWHdbY|^}%aV-c;?4agiuOjos5T=uCVrww1FZ;YRx)HWPI)N(@k-etba_0P=_7{ae_gsQJR_BI=qb?RaXPOWyfE z-9X;a)!(A~b3E8++_(#tp(L@V&k)-{OPV`tDaw{=nGrlLD+9L-FJ@_0YEp7OW^0M$ zfq-XgAJO6(1JNaN_m%njfEfMBl%_NZ(yx?lyW#i4*~=(Z+@sjxws40jGtIR*Q7ZDR zU_Fn6k$@#hx6D;qCOcE@&Ax0cb^HFRcP)b`#I>#P*0NDe&T9m%>$ z(+D@p>JR!;Z|shB=|d+)bB$5om7)=~=vxCi_M@f2BdgTBhRyUI$5$agb3M9Ak;oxz zg~?1aPd}segFuU0b-SpGTo3!JVm9burm|2P|_M?|c$RL7eodjUZ7vcCo;troad_%ObI@CjzVe$#GX!+84UejRZWE zi)no36`9(u9Vf%T+sRm4-aCvHPZ4En)N=4t|8UzqB2J#kf2!B$6o+!P zOi5&EcE#15b-<>b#awt_qHdvbS7e-JZ7i)YwwH08?rGdZx9P8^^K2Jx3MmQKXjHj6 zl}_zwrI_@5A5fs!bUP4XUh1=mo3P`U1}1v%8W7w4b;G+8h&rZnJ>ae-rS*AbC_amL zqn@kD#eQg8I)Wz{^GTh+C4c8@XvvPjB}Rnp|c z`N!yX_h>v@ueyf9M@eKe_Rthh zly&~Nu_X)E$S6z^d-}b-Gx;D}IY(PSXm5y=X{IH&swkn7H+Gb|;}YNJ7PDeo8^2)w zQD+(Vy%}|Zg_l#)i9Y9TyT+(Dsw#>3oSQu00``sHp6U91I`$EA+^ds=OI02GW9;M+ zg3qH8642FM?jv>%^bdnCbD zHY19lCSA_5D1V1D9=fr7av`#7e`<_9XI{=1k)tCxMBAxxkK#jH%-Zt?nSe`7?Cg~j zi<#WT#JI+T9vteL-Zn{>-TOZly~X$~jw&2=zrSa>Sd(^AzHxI%`o!tiL_?P31CAdY zDRya(q>{*T@|NQyWy_|s^D{fNPVbAY7q}(f-@NSBO=|sPVkK^Q^38@(&EA;bi9VHF ziOEma=8U>DDD`}q$nH5=?#SYw8n75xQoUG6?i_`CO3sd}s zFQw3R=3%-WN@~ZVtNF%PsZV|niL$i{!*~^WmVN8>oVM-uHgl^3s1+@SdS+J`dzFt; zzNb0|kbyK9$HTscdbck^rQdGsD+`?zHtuO~lAWakCVwP>k3rNNtR+8skxJcidoG8= za695TvtoOjU7qa?ouI)`ohF`0yo zlldv7>{`_+LI~h!5et@Q`o6=3O?L*9I?7Sf^6VDxn{h&1+Y6uZAhpb7wIP8p{DxS> zYFHUvQHLbI;(XWc>4Q-yE?zVrY0_}KC!>_KbS!7_M)yLWgPyB^wzTVRWnb%uiEgS6 zUcczH{7*`vd_Q&Tdn*&2oK*P)4DEY_$THVdaUFyY0Q1+_~!!AXuOrmr{WTL^aXP2{Sb?NbKEZ~f@J z1`U5EzO+||L1s{y$ZolB{)m^^%yg)t<>penJQ1I1w`JGX#+LdyBKs+fx^XN_4!!fQ`2wC=Edy~gX9mUJpiB-;Yo#!D64#QK-zw|6hoWZDOphSVG)b`2p z)%oJ$#TYehKoUGLrI5YNxuLPnWc3rk^F|#%dxqZ>v5~sNbt2cN!bp!Y93C#dcxL-+ zRzaUk$x?8}k(fS%IlTH&pNR^NUSrfwUwXO-o8*o3yHJ_NHETZ!Rb4Yljqr?1RFmsdZA zG2NCRz#OpH2Fcm)muPGZ8{{^)QQdv^-n+|%OF5}Zia?RVVBH)4Hc{o;>I7!BF5jke z3;&A9@Dz~&X{q5<7&VwBewY#+TMRIv~0vOTdT^U=$5ACB0rH6F^93nAf*`@2q@fmP$?Z} zpJtNQP~Q$p`6>c6g=@>RmZsD?k)1rWj#anJRUE?=jIX0+!dP9)wS)v#vD$z_$*UDQuvu_zJ{|rTFw_o=#G<4$KH8$nLRx7B2}NMle0y7@57IG zoEDtWyU(P)_%-isQuQmW>qbr&aP4nqPK-73kGZ2+8^~fiT$EK47yUo!w%rB2-5We6 zgb@xGO(iW~cW@Y+sFY#P*+f>dbTzb5js zHjrPuy|5+!qx|JcWm)6bUmU17*N%jiEYqJ`f%52+blt-os&B0L9b;CbUnT;r_fmC6 z23qG`*{$s;yGpsQ#gBIj)3yt!M6YQ%o_wljRgC6zUKd6-ECM#{@#xbmq8e)H+>{K3 zg$uERIy%z381uy!sR`q_J@RC+?S!rp$9rhSV4VP6WhMQr$TU5hZHk?cg2DM>@{IY- zv$?0y!|Nd8jW6pvACQ)k&)HucgJ@vrO6o21L%n_fO-w4B8f^# zV+Y3Tn70{6ym?3Tj2E8VMdk;Eh~fQZ__}G!)@fz1N|q~`i)m{#aLH?;roE)B0CWu4 z-?N7#B-pIazX5EVcfH1KeX&7cpTZ7-m{AnDKeZ07H*fMt{hbZ97V}f*0`1w(%&@?+-tVw?r~V}3-9=wmX1CZF@4{!tdnEic2`r((KRUKJ zM6WJFuD#L-uia?p=4qijj_U2?A#BWi|na+y2o^3|CeR+}?(!q+@5&eSJ3IeQKTj-C8gId+(+TP@cY!|s_2DJWOXJkqa@;Cj)uz0}u| z*mpLPS*!VlqVT$7=|PUr@CLE5N0?DLE(xwTU^Z^^M9!HSYV#B9!7^I{Oo(kSX=qt@ zJX@HZu?SnuUN4Q$U8!`k-W(l{1A5ChWC44Zf47Eq=IDGBce5Yg-1rgN{-fWKOfcRi zVyk58w$MVKo=0e4oS=&y>q;rAX79M%qG`2!&9E>1`)^22QPnZ)SvBgO%$m)ep)av zjSiO^?-sK+748f$pjiEBAR|uoW|_<2!dzp)LRY{o){TjSwR=UhO352{9x21~b8xEGzHx3o(S5_$^Mx$Epx}XXKqct2}I#?txh=^z0mz}-zrPZtz5mKNSi1xsgQ zBB#2vu1Uuv-uSrZdY$bI*yse8)rj-y@h|v|XPU#I%>mJY6DHPU=4Gg0i9(OTPY&+# zyXrqXeZS`!_LVmdK8XpBxRnSshTVHjM#GiHqO1TRsxZ8*$0-EtRCJ+bcywYNKv*3QaAUCXqVe_f%Z4Ona2K zxHIJo4ZRy(Bu5MCWBU)@9c;VYbJlc`Uh2u@fI3d-c%0T^np@4d=JBPc_(mKfqbcyb z{NBQ=s~34=uS$m>y?#m-dtX~>W@|lPe;>7ZJ$Q=9Emy*9xgFbnr{%&i*~{@m=ik>m zx<)QJkGchIl^rM^Xn5QxHtABlZ9Z(&U{SRoy{9*~xjdJ2ytlF|HXR!{*P`okJG^+z zxspxgAkHtO_kf<6RxtL8oAd6iW!2WtzoEo8KG=Ofigv|EhW&w(-~#qk9DmZ}I+&w& zp%va;3jWSNE8|#W`z0P-G_9zpfJH)__clq}(eAcY zQhoaV#GUPLY#4@UfDT%=M=}fdg5g177BG;GTto~rNgGU8_w%>>eC$! z=Mc79b$F;U@YHu@B}FXDU@{*gE37iO=e;={5o57sSp2FNo#4g|Nub5hKl*`m;9-s9 z+TAVoqz*CHrMoNCg-M1eUqUA(#2D7@PR*b9Vv?Ev{KeFxzoQB#UF+-igHBPgop~SY z?qHdI4Lg?A4^xUEI0Te_$2YDUcH>6c#$-Ds9T%cm%xNFbg^M&Dd6gWGOn|+&!`gEAesFZw;lSF?d?z{?EKcq<+w~d$= z>0x!J`r1Yw zH`mey8)I+!nt`l=(T&-0^%0W_j|aPRuC5_9O2oaJrvjZCTO+njDeX2-#EF~<|L z;%4G3w^)ar<&}D;Mt6ivcCD;L06%2dd`AI4;s8Gc%$M0ZY8fxt8f!~^pxd#;_D);! zq8mw`Cjt{g#GluE7~5hSFX0FmGw*^*-u*=9w){5Y7rCAbs*;FffiPV?%V|?a?0|H% z!wKGz<5^(u)3piLdN~@kzm!{DYPCk8iFjuFbovx*>A#R|UB?^|3oqYYsTFd8@Dr`W zs>3!WtNeAaFR|F+W9Q+XmV4ZpH@8IK69A$ zkF${DGXDr4BNB5v*kP1Td-;v?L|x>}*M@}a%N5?dnolmi4t@hZu90}>26PfhWlGLD zzx(@Kx7?wXK&sr#7p6eFn2+j`0%Nbkj9zz@vv!yJFJHc7O^{D_e-J$)nb|UT$yUI5 z`1kKg&0^Au!}}BQkB9mj#9(+6YaH9|_K4urF4(?}nZ2@3M9zMPL%G$Kro9%)Wykd~ zQjz0viL6KEy4odu>Rt8z`|b`Rc}cxhCl z5lf#$Y~d8yX4l)#@!l>dZ&j6L8tx)Sul^Q%s6-n3wsHE2AUIYQGRWaLOLQ;-2d&R! z`nDE$Q)(B`H1?w!+?Db3DJqKmqcSpEewWY@a=RUc#x7r6_C*G7Yg!id=Vo*LNLrb! zI|2@stIi#8Nu<8&(!$%*L1iu911|<}w-4ASo-?t{%_N(|!-VW;DETZsWnx9K=EphS z6ivoSUsVdAvR(VEdu^+9j-4$IuQ&Hp&r&Ace4jdUgA)HzsFDaryYNBm;nvjdPHRck z&nWAW^u5g=veprHiJ5b8TE(YP`ENUTW6@eJ&STD-d=6uu0!e9AFgOW77q#*w%zTt}z1%&syBkgxI3}o-wN^;%Tp7ZzZL<=vvGQi^nIUT1 z{^h1%oT;l^80Iyd)7JWG$>tPHmSOgD$Mn~ZM8gEB3@xiB6{7?0KkheXtHGz8(w5P} z%9JfHy+8)qdVI!C$Ir5Q?qR7U?y+w?!6%MM6gnzUNp;9AkNt$YQzKilI(QN)$6eL< z_EN(7&ZQ#buKT*K#~Q_=7H8+^6j`~9Y8JYeT%jq%XmApxlFT`&MTB< z3@49q$f!1JvtBLii#NX==hmxXMC5)*qGVb2%9*Z0oyRG}snr^?#aKom9(44c33Uc5 z?xl(HRn#^HyeIQZMc19F)vJq?tE)Qk))nt9IYcCQjF#TW_aS3dEHacU7t|PO-|?lp zvODIHYsH#gXsu}<|1JH>=jddi|s z8{`7jHm+W4-KyPaSsb*`l5U%7ruvYSu}6aQqLuN3>Z*qYRn^HdN_+cD76G;fVu>eA zJHO^n3n;BGu zY?D{ekz_pn>V0GvQuZU`*5m0ziGzUxS+c#UcCi(EDg&A$j8cMX)&ifb z^Bwn|&#K1NVcJ9a>2^AgC`>7BKHF(lGM_8CbbI)reL<0F*lX2W<@1iRhd{F1VP%+z zBBQEY&Vrmc>z&uqkqW~6{~asM04o)v#&2aZM&N;M{z|tQyCw>6>h0}WN-sz6%>#Pr z8A@#DnD^rEy?LK9IR>kNcq*7AR-XY<_5jBPAGfiBA(A-rI-#@YJ~q0n(KlTeBBHLr zI}yK0V<}QYVjr&;6ch_k5M3->(9)<#{S|{&ekf{ihk*uf{AjnKZlH+9M2rg5h} zKSt6VvG0pc3U_f8>pkVZ1&w#hAE+C#ZnyB+ZlY^zKXY-+EGcMJ*IcF9ze|quo@f_R7<#}c;kTd;4=9c=Wxc1YD(MpRcreDt4GDPEZHwo9?To1|rgzl!2xMig&t zTejv3+AZ6lYUJ^eW{X~St|&9OUPy3}cOh6Q55dYBOUxThlGqFfl>@k-O=PEkB-;qQ zO*c(7F zE?dsCVJgqceeJj!*)kwh$$4|Q1(f)LN-&gRxyQFH)VCNx@-6b9E7w1T0 z>#j7@p20>hx~)*ea;P1$`WA>OKYCO7dlG8k+SAO>y!JQ>(DtZpv)4x7;!w|-uG$ox z57`0}VS{C$9pPW*{MxL(m#x1%%GFh1SN+Tk)rLjr2kP0HTyZ?hCOl|{%&L@WW+h%1IJNq;n$LHv&?GXQp!2Tzum0CHBe=7bAbii$b zNbMCp*Y$AIlV3hZDGD)aAqfd$0a7{)bWNm36ij|J}@$Oiu_2Jv}L855k zbyhhN^SIO7MV+MCqqp4Xj%Oao-C{WoJlMokKS(>g*+W_CJYJ8-esij)XJvMXkaVv} zW~~VmEGej{yEX@E=?el?1(%bNV*T9_hs~Ck$i#rkq)m!e3+LwgwgpHY&@}%qW;}zqFig3Hih_=fJRhjh+ z`@plK^r!Fmx&{^wxpzV;F`u1r(qpbIO0*bx{Jzmk>3Ooue?;%{SaY@Sdtq~XOR-db zXd>$>vDn6AAwdv0y@Y7f4CT^1k*WFqdBQoCOfJQFi??n3qpm}N_NZ&)K1g9En{v<#PQ{+c9cZ$6Ij>;j1{dSm>dK-SU6z)~*qsqo~p9o{zEi&&+Li%ZL? zyH#$^vdPjyr8D!Yl5n|BcYuu8@W7P4z}zzL%CzI8;z635?RVq!1g5SuC5NQ?xyS?$ zcDVMlGUhhe|D0BP(QvK_9o3%8zM01MCD82}~H% zc{dzf%+GSRlCuzPYcB&A<1(*Oqr}R2Tbhov6^Wz+;$%rH@BE>FKG{eDA({bve0+T* zG(FNtpK{{KI&7VcGv~<~AL7+sX*4&IZS{O_{OCKijKc44gAGpT_EGavF3nrTJ63d0 zSHfRh`Qu(4%=jp@`I#5=%hk2PMIZVafv3Yp4!3RhHYlv;pUO}hNXdW$rJVMoO1e$T zfmw0MENh%~S!?`J5X~GCws;Nf;3DQ}4o(fV;TrZZ#J3l{sIHr1Hg4R(^XvnhHP-SJ&YfJGtK6Hd$G3v=OE^eMnH&xHHrjs;=ui zN*R^&v|CaGXD&>3YWPC+-i}b|P8rRJW5v1L@vYHXr`8UcW+q~>aYG5qGB!s~@kBUx zugUWU29P9Hc2y(*Id_*UH5qb!(9ODP$WtuK1=W7vvf9wfTZJG)D?L!#x=G6V(5j(? zDyjUH7I7$xLIlBaAD^M@NcoE#16L8(4>4x*Kc8AJt%yvQq7y>S5WiST%LT`_Xq;}F z;H#>oobvvKtE92C*$2{OZd`Le@WcjLI}5)+-=1c$ca0)r=IOD~S8k?AGF%4OCVoi@ zYI%*zvmU+g2^g2Jlmyi&3Z1|qLuXZDTfXi*^)o=1xEu8Q$=jd6JsR_nm>Q~6mE)Z! zt(sa|^7XiMEA9rO7E3PHWa#B*xNvZ2opYsg|CDgq`j>?H!%F8d4#`osu_`&0TkpphczG*j&_4Z`iUjOhsjHzwkO>+mq( z1!CgY_Q-zd3i8$8)PL(fbLFLL&ayhZ3vO|j9(@v&z)8V>B;uA6SuEtOqSWOf^ekn* zGQmuqd7BoAeYW%OG03=k!doj)OZ~Xnbh4y);`q6 zcqPQTR_~ccbnT698)*fwmidN?#I73!pY_^;ICxs5$3+tv%hxpojK*hR>A;^tJa%dw zG+QJ=x)v$wC-Ziq&QCsl`gQm%ecJO3{_cbNa>|UZ(z(W!;*n*{Z9#(!+-~aThJCRK zcS)r!LPULTcIVP6akBGBbB_sfaMG*RxF?l6C?L^tY&(y(-jIFe!bJutGa>C_y9EX2 zg$Xx&KF`ei&*Y!cv-B&d4xiUuGD-6xHbHwN2OnJ7NQ|t?obP_nNsXCOMDZ?XEf#uMqRbPx(ktwpv1|Yf0UHG4BvO$|I?Vjx(Pcd(2LQD?XAh zg25qTVrn1+a#mjk0c&s-#VeEgn-(dGjeZjsnv_;Y7CUMhto(?p4l)b=$)OJF(!oYw zW-E<;Io>ML&V;gQpWC{KwE(H9^5?cKd)|%{Mv8R~UcyFeuBWG3AKm_lXv<5ho!d7L z0u}kaAe0ZO^vK&-KL~lQKxIWnVQ~u{BteH!1ZOJ679@&-*aw$ydwN2)BG&z`Y)2$Yc^syNJeI(@qf4P^x$I{em;T-JS_DQ!XSU` zn+;d4xWGeOu8gkpnU%3Sk;lR^P z3P9B2n?Z;@u{l32{f;!YbYkwp_JtaaEAkhS8YNFpC0IV;Ti#Cy@4QmvGK(aMO}#23 zia49@5yW-(QmcS@}0J6qVs|610)VYRq?c+Gm)LtfXr1 zZKSp-{vGToPUyuI!{3r5MewXswvh{j&+vvraAkI7TahyKC%j_jh$!Z;%rD6&NBeep zt^>+q8eiIwP#~u*Tom=F&?LSaN=FI?njq^QdGQV7uQ9(F$Qp|NV0*#(9qd-|q0S2n z)4n1@fz0bI8k}r|$fk%VKE_(=)5wo$i5lUgd<3_dqHMl3xtBd29jw)8xey1@s*O-0 ztv^$GdP+R0eNEIGS;ZON)(Zujz(xJNO0Ykx=U&_E*~oU7nXF7!c4*|KRkTp*b({BK?P4+fCj7>q2z z-rCQFt~P;AyS-XIDb^voJh{a?U+tFr1=4all08T&xnCoj#XtpI*rujs3%>F??)2PD z%dr{ptxj8~qktM78sjEETfy9Sc3iER$t4N(fx+H-2mVtb=8Lak|PnY{U@(hU_$eg2ofz_dpr10+SN5lj6;o*Y) z@bJ87iCgPXq@J@H#Ih(tbt7Iq`6`PagWtU}hrTQ0XC z7_c8&@!w^=?2)Byuc6MAofYhLMlY=WwcAtjeA|T!Q8x`j{^u0*_wU7P<1RIs2RQJL zF4cU5esP+%LFk*_s~yYE>)|)fy-rg&(V9Kv6{1#sa2ANf%O6R5$K~(12cQpNPtsoQ z6vUvCeQc`|Rg^!|Yz@+EjJnX*ht+v~yvU50ml}$&qci8zTwq6^VL@gLhuva#z>RtE z*e%icMmMA!$bLXs=m2E?0x{Bt}*$nlKS zZV|)rgos0=GZg~iQaFYcmdiI}nvB!qu52%@k*pQQ+_o5X-5d7_f_r>@%Z*3RQ6!SF z93qz44$CHzWzWEhK=ZxL7RrIx{KNwm`BI$T9o^-5sYJfzj-lk*35UpsMp1^&&}}Uc z>#eZ@ax4nbSDeQTlM<;al;XGYv$P9u2IDRKA&UP{8WD2gliAzG%H2`^*_*#ZW|j2Q zBP&k!m&i5D->M*0v0mCB_*+%myDR{R*Ph&&{AOj5-Jc%v&gvLnP|G<~I{rOXTyh{F zr$XoS2ea4#o70>F?SYeDWBOt`HImYyC={7-IB?P$0?j+aGYD_~Ve*v7@vJi+A(<2R z8F+Z~>|gXhShUd7YgYgCASsXEVvu>0vNhCWt~Hp?6#stMIVOa}N+Go&ia<9l2oNFz z4|>ok77gVDcIWLls^zLlZUrie4CF{C#V+Z@WUA$cQS{QaAtlGaZSLz(QUCF6aCjjO zVuhHJ)>)p%MkfhhV@Sr&tXzLu`={Kb{x@5EgXqDnVw_K!pT8Z>L^c_wkwYOM9>w26 zz!69Y=28fs*TJ>OFPdHD5u5HU9TWA2B0Buk#uWE`Uj+K!IK*G1(oUBSf|UAgAB z>0{*mKi1u1vwD9&%z$S}cpuh5K#iv`)f$f{{Hfc@0o5k)GgUBQX9FD-o**|3bETD(7u zec&GKT!3z>5)Ax|cfB^sMY{M^9(h*0&+zVCj43Y@+`2Yr$`xF zzJn1`@q&2&zBs?OhsPg5+7hN}8Ii+d#Eg3{^kxtpLF(2&Ddfs1 zSUeTp&{%w2h69_47<7Ev*MQeF{tZ;~R07`$K}w|c6Ujl^Ph-R4iX~BspuRQ1N6J&m zBK0}eZ((3$g@PV@!A$@)f|?NrPEr6lY#+t+764=cc#vFsU@ZK16*TGDoV5i3NHD^O zFHjb=H>UnqF92~S0sv|gfD#bHJ_RiBH&irjNfP|Qo>%bL9~(ia|Hoza|5dsEzgH)M z|NO<^|Eu%aX_h?D+jT@P;)#pjXa{kEnS8a0HT^X{4s&bxS~{Vu`ZI_D1!=O7hB9aj-M zeNP3R-6gv|1tPG}r0=%L{XZ4a!wi3G#BYfD%>|#Yd8_BQ`_7nDp0N5u>|dzl{sczB zsUyxHgbP{LhUWyFPa|D(Ko#J2NvHz7stSa=8xs>avrnCtu)K+jsNnyJyW9L1rGU=$ z|5B49N8DR4`WwmKxn=29S542U=j)M^XGK6+WZfkv<=NJ#mAC7-2x{>I3fXk6Z9%hy zd*X>;;~E5sM6)<9@$5lz?E6xilkG@6Q$+LAK$OZ?im7s-Ne~-umzR7il>`j}6{| z{FvVcnR;7z|7S**e^6elHH(WqFQIU^WC4@w6nXUrQ7;)su+N^mg@%wH2Mzwf|4WOH z>l+w-3nHOvJvxAcC1QC%A)A|1*vNOm^X}d(oAF_!RoIAbPxrRrqs|;1f)yvpi&||)JPXtf+8IOkw8#-mtF%Xiqy~pp(8y3LPz?U zajpL@cb{`Vo%`GO!~UcsdFMOpm}5M1JkNZR;iG{qMtkYhW5je&N>uoiu)8<9M=R{& z!EGhP3&y$Bt_#K{6r2c8UM05f-xa*%nMnX-lMpJkc5RDa&Q(3~*0Dk5Kaw6o{ck}X z{!{4soP2J69so*vUu;G3-y62#zgTZPPZm2C1P2L`NXHS-1ll%LP_;r2-c-<6stWQ@ z(Yb8sM)Va*7(Sl`^i}N`OVeRP;Tpl+hYnfZH$p!HFO0pOc34juc;Bnox>~iq9 zNRa%ay#2f$$BMqn)k zT3_Y+;RK8!1;s5BRl`zj`63IZ-`nC_gCgqA9V1SZ&jgd9M_Gl%HHk^^tN(~#mXd?4C6%g{I z0OR!B!qQD8=?VcG(axNZ?kfp$rRH<>Vku^SZbUx1ulE>4&i`bm`~heGBK5-B7=n~) z^T<6P#$zn>JP{u@3-}>=KW7-){gFc$ioWB}H%HVMh`A5uI>YQ;Mt~sPikEMg-!4Z> znxo}Ptb__;hc7hURtRlydEZ`E7ZgHF8aW4kEir9f2dv%qE0DREmgmI}aqe1Lcv&>+ zd1PmdkSETie->?_MB$^@zc&?qum8=TY55-j#9vo(^=jjo2iJN(z)PBTKl|qSc6I7- zEzPelTK0-^?dA4y+O!-{{R?_j0u$76`>sEjpy9V-3`Mm@S$ol6`UaL=8aKjY6ARmF zQw1U7+oFH{Nz9RF zw<2Hiirv9uj04r_+FGf)rlAqDBrom+3!iCAHc+fQ!s!$#MXEc9tpW)f0OQbJHbS{& z6$%*9eZJoJ-h+6M79T*4S8@#P9+QkSIoj3Z$E~ zRoD(p-U9Q1i{S+qeYJV24>N6t^@V;f;ts-bEB(UTL_Uif-xB*W*(v^U$yR?JkzG=3 zGUogPf4%#q4YW71@Be*Z^h*8;IiJ}*L5i&Rg>OCw^duDiHD}aE9nbm4-7?~$lqQ9C zjB9-**3=Ean(=SNNulzm^uVlWyC+e*LlBxRJZ=5#c}aICq7AJeF2^+ zDE~INfq)l?*dYEEt+V+%@#?MEAG;$>{83j%JQKeXY#|h>HrUyJ5$&d9k#BTr<2G{V zfX%Wcv0XNE6}8aDd{Gm)0E*J=LdBezt+0!A6qAF)~iSW6%U%Ns;*d-6s|TO zH z*MJYYeJ^_hG>{xLP+{r)s}#WDyYccvfdcHh4|hUvxk;rTF%9W{%hMs;P+9ZA#gTc8 zVY4&#d86}_zzcT0>FW;4;?Co@u5xRLQH8&$1c`xq`FeeoA2vJnjH{hdOfCaHa(lJu zPa}^G#t6=4Y&cU-!i_xB*^f=m6Ln=RyE`JdP=14qN*Z7gsyej%mh5v<89P`3p(_C^ zpU7u?bHKJMrs*_|D@Dx7t8-J;70N1hPiP;nH9deFf0u`4)+;N-(G^sjtRDr};?J zRKMmuFX((te`|Xsl#0oE35x6-LAKV5LDTvkn5+)>M^3py1@~%m!vN!{y<6Pe<%8ev zK5iwfxEZ{1Ft0q-VXK!jx)Y?uO#J2-pI`@R2Nkmb@K5wzLs_CFw?yo!_AH7uwp&)P zr)}xOQ?ztnH1Ak8A`ozAWvoMqQ7HIIGt6=eRSzo-!b=G|T*SnL&*1$A~acIL~ zBa6$6Zbl35{o89tZb`ML`HHy$&f#560*Y`} z-1}6lXug8_?H)Nk0>>Fm6_cfwg!Klg<{_H z`7gH5r?RYI@fI#|X7Fx(oe~RkDGfZT9&YLI);HelchgoD*lEX>8JiX-1IhrwNCBie z>O{YXJFD~U|SBlV{ z*{-|ta&OGJ?4_Rj)UsEI-#aaEh08<*k8XBHiVIEYEJ&3OccPoneCfY#df)Us0#4le z^T4T#I{%dV9TwuL^~Kysknh?HtWQu+)2(vb?ke8K?YMW=^bRGTK}wd#D?Z~oJ)r#K zNl|au!}_`0@9sLLWNJG6YfhTC=1CwR#cZka&oJvAA|h?;AH z&D`|%Yt}8p3rKa|riZ((dQL5+xX@ixOD*l{=_#MGYg((TkIsD@bsf=TZ00HTYT%?P zMsq@j#)GKPy2URd!S2-) zjB3LIsjJk>e3=)!7P|LJXET%{FViJV!glnN#xDFNvf7lu%l}nEn_6z=$=D;Pq9-9c z!2ad})dzxOZkGw0Uk6eBPmc6@eCiw>3{q%iGd*A9MUs(s!wgn)>v>bpIgb za#S7%1l;+;{qDM8RrNW?`fjn}NMX}FiV5ci0|dOFD1N0bx}U=0Q?8v4JFbE{r|rba zM1re|T>pOlC(nXJx7Ov?$GyLKOBw}$A6R|AW!b5Iv_a;(Nj_4qMz6#b9J~B;deLIQ z87%C`s$%5}`g|Qoz3AqgaFJo?wW488Cv_msN`T~@?ArxJtB)Pq)rUAD1ze!b`)U`_Nl z1xcSP=6jYt3fpltjfcNFXM}#$6HvCTlsS!W(zFLfQWgC-^MZDTs@BN5I}7sL@0S-$ zCL8&eJgk|;LK(S7QN!|zmhN-goIcrloo>N!l}VM^tN(j}0A)*y8p9{`$3x|u1A~V} zL)p48TtLe+WFSw*&j?SZIXDfp{@fU#D5g#?49g@l+GBEOvX|$VOQ;!FT2sT8uHt<@ zn?p@eU!_`>nHhCB#=ebm=6BAZbs8qQ4?-#}w+|dnd+PWaqs;%ZXaM@S$IhYs#S&w6V-k<)t42}#~b35stD27*GS<-0`m{PXwG`!`JT1MI}Vb?RN=;1Og9a8dNm|%38$;=EBxv#<8mv(+w^U_i9k7 zvd)Rpa4g<+iY)d<=JdA3yZ5;+eIVJ?xFJ1QLxE85TT|}4v4Rjm1wW?Qd#PYdnlt&s zdzNZ=#PGgd@@dz;VVd{u{*AK|&PP3)U&Gi`%58nsa-yL1L#HP{kwQzA;*XlpI-Rb; zYc0&{bHck{GeOEUK9P{hA9)>dprJ6?qH2;@r8xFS(}EkgnrYr6_K#qp-JEugT0jCs zs$OE;L}@r{TkS%cVC2{}3maWVN==EZc6|3$udmBa1$(t{xlcfbCKhFMx$v{w$q|{C zZo}|x38!}_NA|zPH@mB+uOpbwuC`*5D6b(9wIY+Lo?=zD>$ z`#`LuecQEManFr)9@}FKs%8wTHrHl4Q0iFCMWv*@rJo7CPaN|1y zn(vm|i)Hhjt5QO#$4H-zdW$p2JC6c?dbfm1b<8Juc|wIVw({DBjMW$GGG7MkZh1&A zs@pZX%p7MhB0-3}^ka*-!vCL|Oj&9$d$=dVgj9WAc|t%ir=G9|OjdZEjOe^5dWrg| z$i$Xfd<^IwG8|Fsx6hc;$)wNl4KaN6<7%eG*IMTZABQHJ67IDEcW;OiJsj1Gnrv4YMtzcW$G_3gkgJ|G zE+fcxJ6@e=$$PFB5-?;7wrnw+2Q?%1{2u`rAnw3GzVO5lsFqdw20NL>1nc@HzEBz< z^w+?>WmkZTNOWj<)kjf>kv)IhWY>~R=7xz`mMR^#wokLnc|y{cCR^Bnu_sXkbiv>9 zt7=GfiMIyOCWO}UCM#6a%9*zSG~NPHhi z-V?f`^Cz!n5S-j+M>%D`kC^VdrbX7PNebnd(_>}4*c_<`U^sbp4`5e6xvNZ5fmcRJ zH_#Dn7N5;5CaeBRyK$Uh*~$zh;rC}7U?BcEBTh}@gs@!kQ>`O~er{37a#ay(%zDFs z?vLT7Aw~z^L3wYna~({i(BhYMq{r$>(|q{X1kK^2G-vpxV&F|k##>rqtPUi3$S1!sFgeV)?|l>M@bR=mxQMUp@=Jn^sHMM}(41@xT|0HtXBdTL{e|-Czm`uT!M*cwR z8#@FVfpm(2bQ~0Wa=-kMSx!l4*a}G8+1vv}*6aKq)lx7;4c!U+n82+?!5EOz)wwy( z8vzgCyudnQa3Hq}8+VM}3)BG=3)^vcmWK52bT6U|6OWND`)sSm9jE)Z(ZgP+K!N#{ zviTw4W9nWPFk5O>+x!w)dEnN{kdyFzaBY~$rGdrDwCRL;6A+Wfw}GJGBcE~aY9_(% zmM}sSr%7?BU?a1|!e+R=0N(5~holk@5 zTu2sPoXQ;fWOX!R6_w~V-|>TgD=Du@HD~LDe$SkXYxf^oh}VF=UbPGi&(@wig4C-7 z@;GA^-2lCT4EPnll1rsV8W>e<08OYU2y zu(f(EVTPjvUayT>E(p+v;I<5C^bB=hXL4yjrumLE_WDh~$B;RF|eSa zX4Zz65sJUsN0R`0>gn`W3PiE@^H;=)OE zg9EjJY~RNjsa`_1f5qLV&QWJv^b$3;ktFky++$u2IOO*di6@1|bNRM4L(@F!IEM1) z)c`|qqQ=>wH(7(Kz@R7&%(E8%q>iw3Qs|C7@&3xo&W3S3ke{a_s&@^G9g~V?P4_BK zWSl-aVjF%G5ymc0wfhnRms*97gBZ|p-n3thg*35_ucy0g2?r~tBcwTdy)lN4k`v+F zlCxNe-P^~Msxart24jG&kf z^oW}c1?4|BsNP#xKGEO?@*t4t-Nj{S8n64Jv&`di)7e(H{rRNFcmw_{fK}{Lu5~4s zTaPSSwgI-i$fo_HWDr(fdPMdaQ||ZUBEv40zCUk3qS(nUad4t5Hq2Svg4ffkRS1A4n z%V^?Z;ikJOE{&Ygva-#Qc(D+7sWg5d@;SDtqM$vq_SGbup1)%)$d>simn=wFII_aWhJBeiWo|}nFN`gjj0Bu(D z;>LyZK)y8D)Js4XoK*GUZIPFO%043MwFWF-SWi!rO-?O4TA1dlL{$GC<6!HF`cr5V z-;5j(@~>;i>qKaNke;WPI1Lu?()%$FMFs$ISP_^76Y_4<6&AfadD95UjIt>?1DW#8 zyHRNA`uL;cJrSuN^~_8?lPX&mt3!cyYqac*o8ZL24Ls%2xDz!#wih5?bo?o-EnZ7{ zq4lZ^>1_y&Tp@~b>Gbhu+c&HYwMXFvR+GLz9(SqnKKRjR6)pFyDV!T3W%RHd+&u4W zFfr?^8YXQ1!1LGJpPk2hKj`c3M(Hj2iEsK!ogNYzZQgNLe<7vmXyZX&`v*41Z=|X#&;P1ZZSdH&5|?X++A)A&r!H-&VT6)FEPP<^3s*X2uwUQA)yu{rNI@YFT-#qq$@^Uj%yZCp@T9shIW~yz)83(idyf z&~@N5Z51trP4mW3`pkY!H?)9NKVK4i1&)_GiJB`v-ePRG z-H=`NCPcL92c28`(D2$CB6M6K>QE?!K|%RxU=<7&t+36rr`k; z8*^`Ti<1MMfSO~59y0}PboFJzQmrB8h2$SH ztqj?fkhkqgo^|#)bP@;R`YVot4mU>qd;F~zx{P=Ex3mhU7fA~_0QHTys_M-JCb!}6 zM4^la>y}Vta+%l8=M&}jlMBo^Y8(AwvBF8K=b9n-tI;wm#j*tq**v1KfbBk`+T}!3 zK&;YA0Cec?i8)(`2`h{hwQDLl!gY0jXq5|AT=nLdIY`*`;+!zx&Ur90Q%f(w;JL^_ z)6PrR`M&%V9$ekVrCZ1hs#Fim_-^l3!}Fb{2MZ*Q4|ZcGye5q6yjGvf^dj1WvCwHst_(IUwV~18I2nxS*cm8V_^K#l%G+dH8SJ*jc_Y|n+u9k!s zHm>wGqIA0&^K%WOQ+e8&^M3a7?wmsAt@q|R7HiOpNBdhg&D8ZH?>wCpxbc^%SS-{- zY;$%n2?FMlOordJ_xoDQCMy+e}AA2^ZZ2pcst&c!(8Yfby@XU%*Tq#P1i?z}PPIBc2bf8e^@mr-vn zz0+Yw`z%jPkjf_CSHlp3+9d?uGeJupj;q(Z4%=Kp*rz|6^7Yge&tEOCIQTaFER1cH zm781vzL>_qBIeNi>SR|?Xs3deVna6g%NT3ONRZ7I_{&| zwEEH7C0uKo5E!3{j8?C_0zMVuR_AUM}OVpi6;%E{y z@)v#b(`nH3o4$U+=0SlVLyuyp1T3n`!moeE1F_8IKz_^LOTT2!_G5#8R+C8PC$kHi za4!GQ_3^EfRX&sJ1<2B&1hkr=a}b|!-s0$1PtzTR;zj|r<%1GTL7c*QOIvBK4X`to zPNnUQohKBz`WNfFSmHf;gAO}mcm?6SrsmUyxgT6kzXY2?Y?PFhdzFn5c7wSzbEr#8{)7K|&M@g@uxiwaT*bjo!(4cZ;6WHXiXUh>~E z?8KS=WMofWUMcVC{CzmsLlfA+Xw;aZ+jTNXFTQ=ZXMfSs8WppZa^LH7sP?hOo`yJo zIda}ZtP6A+QgEoO4s}vomq4vpf>9@=o4Thv+StprYg zlH@(`n>2O#a4rN-C+$zs>V3IY;KlLfh334ok3(YM{a#%uhHJ(BNJdYKrH$RD^XP%1 zC%d0^*v?Hh?lqptw0e(PY}i1Z|HCFz;WnC0+bI+YhKVWrh?WC*CuBHnGYes|TJ zPt}tgKB5f*@h8dyKKLT2W4=|r&tbRkP_GM9Ly#`bW~pbffMw&uDz@Gpe+z@*VQ!eS zi_Cc#L8iq6P^}irWVH$gYP4iy-wD=!OXG%(Qi`5Dm@bUHvq?sdh$Z|Q6_067{$iio zyl>sHu6%&0J>kqz*gRUCl!^?j(Dl{-$uhWcL6_S<@7H~Nq8E-<&;(uUbb8VT|9%+! z1Sjhup*uZDpSX>CQ3aJl&B81^X7=5-wUw<$D^Z#uAKWVq4H5nrIii|#o5|$<&8{Hb zZqJw8{VNwqdPrL)L@ z9{P(EJ#^hQl@r!lxhPzb(wr<$Aq4Z8TG6C3&a2MdNm55xe(Edu3y_{F9UHU_XH}yx zMtkmsqLk`Y_fNb=p1ty~FGcMr)$FMbyrwt5OZ1Q;_$;jVDh& zms32}*`|P1uHTBF~s!pJgHgZ;Kic#IPT7{|^O=nKn9X2|bh8NRJA1YAWJ6R0C z^Do7Zi>HT>Bl323G3`WyLPx4wceq7#xmmW&&wbFu?j|u}cH|y5 zC_GJd-(>*&?F*w#LUXH@6N_{0x^qib10nSXa=)8Vm=am1R1Ce(kiI1>uT#W+ZmgAQ z6D_-)zW{u_xvH_Sc5uwHR_G;nT=Bp%QwrDC66q5NrTSj%vLZDjD+=>DXRT2^n5vrU zh2z=HUeo9jD#5NL+DUlUT6`eC zpm#f<@^+K*!V7YCkTC_;X5WgTT+vO~L0|YwW4Rz*o+^iNEesFt8c)J&{Y%z^`PH05 zT#O-SNXSJh&IFZz@=c$K)|z(wElaLJb#xy6+>UEZY>jvIox$lt%@>TiVc{=Ej>_B` zx(W^os7=c$NQkcyJ4*r;Oa5KR4QtIQad6C=YF=LXqM>cdlemC>{ve<@j&58@uq`d4 zpPc;(IcVX-rL3p;$Hcaz?^+Bu8$XH6ECc17A@QbXhb^Q^dtA5$3oTY-1iC!v(DKDL z;yd1hrf9ECfIAnPjiqvo-rt0^eonEw1>PS62d|%OSAfftK$q$=XYM|lc7*swMSvzf zGJe&}Fh5yjK1PnHbPreLA%Q;ga2Leym84G1V~{aN3n?y_GJXwSIZOH+bZ&&xa6J__ ztnOMDEhI$l!uho?D95t)*0mr&p5toLOtB4X{TL89j(u^I!-j3b7j_Pu9_j9mJ6J9j z^aeUt8PnJeR~4D}l+Mb=Ch!_AWTIP;{yLJTO|``XzMNA@0EM~9eP{z{j4@20%FfJ} zyahpLtf82PQ=5~mdMWFDoqy|=*%?<;PTl%8o0UYBNO85X?Ki5tEau$ePb(!AaBItI z_6n-!Wb=>^2J!+K3JmniFWFJ z_e8z-N#bv4cJ5&dw%B1G4Ic36(?fP%5|Js+C~1Qeki2J1BM0_>5dq+E+@F zSTOKzGm*{7IZX?sXz2%GNB1V1jkWJvRpr?%UT(WK%!%|jQ4xY4B-{p?C%cVEw1~&UUOBjFFtn|OLt~Q64 zT3Waj8`(celiV@%UTTW&cypOhJ0CXb7vfm&Bxr{%%Q{@i3#hejzjAm(^XoJCB&U|_ zPDJ^Oz}-WOCNUB zIX$oT#g@%)VoY5+r#Xg4#uzU=J$sgP^QQdtE!g?%5H(e`$oQI1&Uv~t8BCdyG{t{L z(&i$<2VvVCJ|AD2F)`L1cy!-)0!+|Z7YfKrZ=}@tf84N<{mJXekf$JOz0k2? zLus-^7%lg^H*h}c8N7aqs(uy-z~%(4x#7ALXyk5IPq`+cMwuYGof4fTO&i%}eiVXN zC0PA##%Klkok!zNQahn3d0}}hM$;lREjk?JV3iTF9D{VDrH_)iGky0oR#gkX6!-3o zRv~5NX39$qXq_B;@NAKcqHYS$vYY=Xue?5$?cp!!c`ab{9U@U`7*edWp>qc z*GGSd2{I9>W9z|o4n8{JL;AGwxckdkScie>o`+hcV_!dYH~OOgY(S3r?iYFjvsZ!V zYj-9)12acUSC5V*I<&rlIl}G(oftB}wgy#m8W0%oP~6zR-*G%BzoK3}DW(o&23>ti z#e#IlzUY_8q8I#bzLIAp18ZSxgpYb&;Z^hUIbNJ11>)--%ri(=VH{kWwq)?|9JtwW zYupC9FcY>Gzgl=EM;EkZIJLSx>Kq&vKK9`LKtP4O{j^!di&8{DD|WYN4`0l1lgaT* zV?7&-{Zi%dlt+>-RG?|)xx`9u$m&q?x6~?)u_g5j%r8G2ZEy9UKX2@>Nx8I*I>0@K zQO9UR&r#x}#wxP=x}XIg$iGSK zvyx2&bA5hITog9xJuKsPdX8pn%z3b~py5d8S9nJ8ORP`S*5+5k+QU_>yBb~somvFF zUEdD8PhNb zi+gvndVLByb;$t*RfufG$?;tb|x1~wqk{TDrQ)Fl&-1}faQ>(^x4CS9uJ$Prj;qiA^uh@xkf z!a@tlg338|6ucb4AhQ6-fkt+l9BZ?fI@jRdbKjz_ZzjmOW+O3zE?;AM+c{T|VFy>4 zFz!Cg(hsCM4htmQPvTPH6T+vFU&=gk}8#SC4e_kKje(S*Rj;*JePsM z^_d%eu5#5A*@l%pFkGWf*vo$Lp~c&QuN{|);57<@RJEIK5=+g;sV!qjlM?SOgVX0& zbNH0Qg{Q}H&2~>pK`t$*+$VfogW;RzWccPfYfLkP-_+nWu+BCn51C_jRMRkDzyb%j zc6$?AR@lKxM0&0M^y? z!0i$@v|$!zKf+>VKJO6#m#HiifHH-}Lm|R;rPM*8V6ur72HuF$oTgL|{40|hOg5>9 zKN|)M!Y5TMfA!5odMvTApp`9e3?ypT549fyR#&N)p|mbR5j;4 z*!+57Ey2mh$;s@&(D4#o=iypl8#e2>;L)&&f-u$6RL_Yb=ia-y23+J>C68dYZH-%S~ z6^doAKhYa}oM;p@UQ30{X&b#m8U6P7fJOh)q@74_;lpM zY^urGX@x<>x+J9)+$j(YPkz;fH#0PW7`L^g2l(Ao9P-nStwF2X|pU4UeXXZY(Xd9pM&@vgoIR6`DP=M z6#aYG-=vcQVRx&L_#)c2pff?j7v7LHg4iMm{#2kqYq~3o>+m7*I~bVRQIGrpOtP_h zSdn-YGVs_a2owhR1E7DXX)pQFlcGro&1MEo3Sm(?KmtPm{!b;J3p~*`<|&8vMAVXW zbHm)IYe=%3Mpa#1h2hCSgn;;J9PbyueIXvCcy(j_vqKW#@m+s;VWI4xJEb}Xb33bc z{Py3qcvIVa6z*nR=b_R?_d+%(-o2Uj4u55_o7n8#oS<(cpgOPQQ%MsA%Zr^8-95`S zUtS)2)67sxUF71cp-1ntp=7eU2|CubOK|gMlE#o7m=N7O$$%v%)3Q zQ*K+HWqnHK?)mEjT5_HH^k&aj%Ja)qm7=|;jD8aPfYt^K$$Q_VDh@!2I?HlWVA*um zZc65GWmX34`2*}AmpUiA)Os{wE@Dm=rUGj0g$RF zp&+B~B)xu*tShSq!NzY|@qX23Pn5Bw8pzk-E?b!wUyqW;y>u}8kkz`@8o2wG&!TL^ zD9MRK;5e@6I1j&ZPjS7u<=VZZZ*Bp!knR8qM;<;FO_?r%R?ak5ev^urNz@@j-gF1rp-p;^HcHc8s;PwK;ww*P|=U{f;(X7}vVlj2@`- z2Jg0cbgAQW!}9)B=rbSCYBkkv%R;+cQ`}(73heLZLQ>g|4+$}1lPfk!7I(%R%PZgN z^kntOo$3_V?kZUc`c%5FjNEUn!(IP1C^#emnVOk-d`ouYU#$g&b}y9u1*X_vYER$s z`>2jptwyM>qJ~-BI(WDl@wj@}=`l^GsY~=dFJbtarI1a>Ei0Bw{~pYmkA?z9A(>=R zQ;_4Jr`4>lzv~ik5$XI}h3VsEGrWJP&qX z5yx`=O#ee_J1Hi=AGa}r)K1A&lRe>YiT6ns6swI{qY>E6onhU6OgW%_(7q`H2BQO| zHbyI-ZgSS2)4!moN`-fz&eH*0e)F!#k_8vHYwl!lv^^l`HZ(Ncd9=UWbX&&t*WzcF zVqu~!a=pS1Yt5^+<0T=_q;M=#NiM8k^RdI5R@&c&rh0!AwOFjOo6@iTRo=tZ_C<=2 z0CI=3=u%{lY4&Hr2>+@?9jF9OM*Waji6Es&MwJqavA5^D)CWL<&D{&kUrGwg(WA+Y zUc<-xip3SpCmE>HE&c9W+~ws(6(lQzW&Rvk^9V)pfybn@xtdSAMKSOB zeVzFw+5M_ielD(H-7hVVdn?$*Gecjd?Zl%%X7F7Q`Cevm5gyAtM-&mt0=GJ_n_k8c zZAF~uN}BAY0w~j@M5ftk7KOZ4L_&q9s|t_-lq#GJUY&=b-9SPr5FrB&93w+ zh|WdMqKYgGFy-gm)bZ7LmVk#iPGT9&%T&#G}r-Q){s$iCDqD1V+YYYyF ziLfV#{hXtXLqeH#`!5qG1rFk4)Zj75wvf}KGeMGYU_G1#QQkTa2T>XdhAjlE`KlpnWrKJa-n)!V60-tIEV=nQ`8UQN) zY~Y9m@aZx5bZ5)T0ZiQ-@ZPjz&4SDF=~1A?lHW=hz=i-UE(3loXM>!5+7N_nh7p@! zO}-)ziZ3T_1M6UdYzHZ76T68=etJ%ixOe%1TKPZK27=YJj{&wKK}X!t*uWmkW^_#v zd>;q?t4RhPX$}Kh{Dtd^m%)H!o(YQA1=0Ke%_8NW29*~Uro5B3THwpOBlw@}_ic3a zM;UOS(Jv^v_s;mHoZ9xg<%mCq_0hD542kJ4!Otr1{``GyVJoCLd5Krx)|LOh4DNUc)fqb4&yoqZ&sNWImP@6QqF%>%WO2w$HOlg zHTa}@FfXi+>R)D7yIfg;RP!KfA>h8+9Q19#{nWorCCMek!ZRbHgYlW8mo`Y4(X9g5 zm0x^d9l8?+yg>KxgC5stJx?43(6>z3Id4&GJW0AJ8wSpI!W*_6NhfeRA_-#ovEFlLayK+s0oH zgCBqB(cN;<3rJkQm%4FJh8&Tt{8SC`l8c}9&!l;@>EOpxiP{1caaD-QD2cq)0vj`YxL!h0uq<#!J?B^KkLr(rP+=(^fuAv zFp^MRhGcLkgTR0tO*GScvQA**ngSMP%Gwc_P;y|Yfb!x0RkQLx^Yp)Cp8n59@;@8N zf1fMy|KByw*=tqKZyjk+B<;|J{q@VXzsA+dcRpXgzGC#~) z0FKR0Ye@77ebc;vE2$I|7k33~U*IGZun3?3{uZgGsQ7xS`%W~`CDjC;U#&pa1K?m= zo<((FKlz9GtlI7(ux1m5N$gDE@%O-a)W&Iy1_L1Ha@!Am&0^<;Ox_W2&iUvOcsMpH zlL5dXra=d0^K&>`=fhwWh`(np(LydY(b$2DSp)-%OCvt>Eb`z6xaWLo4O}cHS*luZp@3{-G)l-f!Rc+rMkzTz!ms; zFrU9;?YB*5{%sdRNB8%8^*4B5Di1bJ46dtV;G)S{HhWC_$r4e{vGMkQ?+9jZWz^Kv zU<@TfYU=WYo^8T>fUnmCSq$E4_r?*U-Fq^?f4iNP)f&r)OO)KXSNGuWa33Nkk`-j(_euxAR9E+1G1cqn(1}K?sTjPm;uMYPi}w> z@!Jx&J&1idXxlsz;tNtZmTu&OUGWpZlfWrPE;|UvAEfIS81#Q?F)5n~HIKj@9pD9p ze0TYbD_+EwrV+jLGeJY3prPws#P~F{`J+Q3I6NugUmdGV`eoZ4LC~R36g1^>2QiN@ zVA7Lax~tP<%K+N(rV<1cmV_JFb_x`3dzEg6U&LefMeuhQT!x&u+zXS!8&4Jr>^s-NjQmf)Q4y)wWTraC z6po6pF|ByPakwh=*lW}-eTPK*XM~My*9RUpzk4PY{;L|sW!5UKLV@b13IRtm^$}C0 z;K-cz&3}r@D~n8*Y%oRJ>H}zlHtCb!R+&ItCb?15R6Ov+Z=b-aH8LZ-s^;(mjw#w< z!0>zh35%V&wlc0LnL{~O%*5=se%1}J`Sj|Y zG%RH|=7cxDT@uWpOR=X)+QtuB{tH?7kMKqiU?s%>VO&O=s`2OU3_^24R_5mP=V=<1 zxU}wDUN~q|qEyFza3doUY&sLOi=agKiB=Iz?`yuI&z<@Uv^7$$t7WuCX5D%2lp#UI`NT1@ z9$V{fI6Dm(N3q~w?5j~y!RrfbMll^l2;SK&Z+00ap7L{vbD~jZaLpAEE zT~alP;p1^i5mS0TIHm#Mq%%PW7nh7m=;qyvEGzO03B@CI$_5QldL37*lU~uJ|oBqMC-=0!o zNq`g-IpS=3S?2-8`>N7n=j#Bn4hVMyxQ;8mQR8@BheUJ%!c~suTYmrv)W|2;r-p<@ z(&PPSW*UvzH3ShlXXhf(#|R^c*t&{?o$Ux{$uq*I8yJ_OsD&P?)|gjZL@Y|;@(0na z9>hvmDsgWkf%=nSWf#H1K*X0RfEkwuW?VK4+c(>*5QPyQ*ODti!fVhotI9y!n%LOe z?EyGmS`gUt;ukPZKnDc#;pzOEn=BN-sOIFXq?+YDePgdi14O4sG`|={@T=7U7DdMHmcc}zEaZhY9h7ZUtr(D!-7kR zc|$P|UIAEvva{)s7%b_yPp^g6WdY>)^uk?IA_@%UBU)!qx;7|CcM7z`;f#`2*Y6Ge z11F^Kl6X=ehyb%ek;&VW^S&HfV6p;?>xyv=>=}o6NFCT?9~1Lb6#A|6FYACVc`U_+ z9@=Drh`s>V_;Kl2GeSC(Lr&^LgauLR9V3Z1z)cq@KDG?rkq3E}Z%Fn5+Q{`CWX5%Wr0cw|%%*QO9K|O0fJ=IQ9{j)k6o_Z8a4 zNcCfe;bevoJa5}B`5^GejHS3$$ppbtn*6}|8`v1GX7H3tjpT-AcMiID}SjX{$gybvOjYC{*N>0G!Jn0^}`4o&D3B)nTy(5#txd*QWlk9m~$6J(K ze(Kp6!MGEIQVl#_o`6r%`aj64dkcjW49rN8;s9n@h-5Qe1T{~VQrmscNi0PO8RQPK zcI-mB1Wl{-ye9l(#tJ5zmy6Yt0T(W>Z0c;-h{M#&)!W#oAv?ONnSxg!0~$sl^2MOD zYU8Zsc0gxg3}aT^!5mbNSrCTV;=Xrus4mxfy6o|~Oq+pS$LwWamQc?DYVU9jr566~ zs^NWbNiLuNA*Y=C*gd61!jrSt#$toYHrA>OR9-8I4E!<__T9*A$;IQ%rkZFu6e zG-=ozZtlHUWH><}M+lG!lh2ufV%&ASjFdqqu*{6`L4rcb5vIb2 zcZoy__}DpWY4w1EeJDJ+deHo$EiJhoSTJ`4rS|@g*87gg=cHh)?%T1Lk~L=Sg4W~1 z&z;trb3B!IO{X62Qz9z8)h4v2nMGa*)@~d)m<2PrFy7UCD#*_td!H=|T*Q6xPx9G+ z?H+cJUTlgQPCpKDXn^*-W`^i0%p(KQF|%6Iir^L^0R@-F2fHIy;?-HCnn}S7q;6p3 zx+Hj{3W>`+3g&nnA+JEDdEC7oX!+8vHFTMOFU9$>S!w66J{lxKMMPE^*vk_S##c&? z&1MFvWErGPOe*c|T<}MwZu6>#uWv$)!6B>#)xzbrBCyV?(^iVsfGw{ZE47g)c}9sC z9ju=6`{7g?IxuLrIae}1)|xjpWFtWtcO+Yg7NyMzD4*;$H zPsLGzZo>Sp_RjmQ$!y!>qclZ9MG=7kWEfziWky7b0t$+P5R~50p+pFf0748gK~9tGHTMdd-9=R0!v=p_F+90kCX|H!iQ2%fixbDm`vdlyYzzTJhKdoQ_4)w z3OQtxQ_snSK=ArW#v`|+z{m=E;8ruq`%*$H^EiCjG!vg1Cn%51C+pA81TRue3ZR+p ze+GHjz1?s(_#tcujL6mLo*Uj^Vk7%piavkffi5yXfR}v_mSC%8N$WTb_B)o~jrWGC zzOn&RWEJHn7Z{i#!@(4(-|r>87tM{e?@2QpGyxr3SwV0HlumoEfSg?|owob$-<^vP z#21wUN%X_kF7e9qYz!>TkrBsB09zC;!a5xCa~oS0`KEzoNL#7og$fkri-m!R__6=7 z0JxS;eSV;|CC+vXz3N1}QyR(DN$&*DS z+__(9d4&bI6+bnJ>p{hI??O~_`Ybx4MnSd>EXL_zO3>K<8QTVaZ#|mTsyn{#+T@@h z2IpLORtP*LqiArxZ2|;bzAaZ9YPL6w4?1Uisdn#o6LKY;A=0@qNOV`_jsKMoIy4YA z&Q|g?vy|o3dYJi6VZc5h;({IzOm^qXqdu3{#6bmQx^$ST|Hri2A@l=PWV%M*gh<2S zDy%p0a8xny4;*kA;$SlRR-b}JY_amrUD-hpHqbh?ACKPdes}9|R3#|WA)bQU;Q4MN zx=wvt!XNr27%X$+1}dE$_6`<5Ng_tAQy{Lg+rgoXLBK8nOg7dO?2OYi;K2+^qMaYP z)J}L9=gQO^ryOPfqND`E<2IeWhKSVHF{$o8Zo8pacOav!Y{vlj^4(xjyQhlSP%=n^ z7KgvPGvV>#K3~Aw%#BNRX^Gype>aZ=nkNhl(8yc+!>GVMKWcN4pXB0*kQb1tZ7+3d zwBSF~c(yDM`sMAr;KLa!LzI=Cn!W<8>%6jrrk~0j0aah?5@^6M)(Ij+-@pYuzY249q__mUDz& zfTc0K#-lIjSSM=oPK5pkW$gH^M1~y)?`t&KBkn6f>7m7!LQqDQ-et6~}s& zGAD-Mm|x`L7h1_gZGDC=2I`%76>?PTKm}$${tpW5M%iy+>czT_9gAJ4Nh>AnQD+`5 z#cv=70GD#*V5+~s2)4o5{oSLyfZiZYepFV}Vp@m&T`7}El@`4i@7VqL8;c`*{cH^Z zKo{_bDsp|kt;nYheQ0Zb+W$kb$2E9ip{lzsGp+4%j99lV$faYhpOKJ!gOIpDtpn+B zKG;(m;4ppVqCVrca{);^Y>JcHIaS)TxA_2I*7PEmrrp~m#;+_k>^`RBNWXSzcw7A} zAYDn|ri?a<-?HOhW5HSN9x=zs*L~Dy#!y#`(U<>d?v;SoKDvluc|lO)NW)X7ynF>n zEZpV`)tbBgzoR+54P!G)W8LmCy_$ikt?J-Zh^JOP1eWs*siMwC0CNs&hoe7|UwIb9 zbRJuuU?GBOuDEH{W*>k5s)YuYo`roQ$lgr1Mqx7TQJHlf7^XMF6mHje=nBpq*RW2N z@|YCn84YOP{TlgDYNM#MaaO{D?0b~iI2v2JrNIrWC$`U~mpga{mZ(zW%}TEbhHidV z?7yN=?VRUJDKA^A-M%|u*1b^DzP-UcG5(Vz^wi))+Hae)0* z2L~6`?yztZ7+d3tGK@ptru5Cy0Y0`D;5YgsY7I*FC4<$>YU~KJ>#&yF7-!1oe3*Ja zkhgBN#y>>My^S3qB&0o57yH)we-!Eh}|%zBoAjP+XntQh-x& zZF5pUOP9P44x*2aa9m*P69}2+xU{`<5t5~lf}M%zV6;$^%ss6)ekEnR^W_Ojzj66BBrM&UFKv;?j&{Di7W(S=7h(-(w zSU8PZ1&{k@`P>|`4c{tjm^c+UN2)>P+1i-vFCKd)lj4YA!QkP6_w7IdvBcTIvUL&r+Cyw4Ig~zQTQ<4jk+X+P2;s8`p8_e` z(}KH)Rg>^spm@RYxz3q>Yl;(M%(FZoW{1G`yaQtjd9~)C22>kHn5|)fxuQ8nt-INd z<0H29urongxr_CS9_=3Gh>S03<~rtHVQB6UZ`>$)0|y9`c6>!_AMudx@YlRjkM15FI!*kVEQRp zk~-|cWh}c+^8{z|-kebHn-_NbGC}XT<19iGJfh`BV^8^Nf!?DDde63stM}Cb*$Aqg z8!IH-6=?ZqR<1#6B?E^vGzT}2KOc7>D~C>Ccf-%GZ(6?DPc7I8CfCFPiK>6G1dujMtjWlsMtPVMp zoEjY$pB9pA)eTOcu~2KA--|hlRkIX$w&61MV*s1IzKCr82RkwlPLo{1v)0r>dwZ>I zhZ}Mt^*3_-;V$uMbRm`#FSJ#n)D}`>MiL$InP7&n@9+npy5Q~bT}*+g?{aA0y-l!D znPNVEP6h}b<>?{+=Kc6+5>Ur^KN-AU^mzR25KO*xz$4Y^7m)u|j8$gS9%f14+bLk1 z=0j7Re|y!YMAtQ9v;>-Br=8-NnN4@-DvE@=_|~o>#0j2)fe3Rwj;RYq_p?INfbiUF zDa5{V#AMI9%t6v`>;ZJ?#fe!$#>#Ay<&q-P-eE5B!HZN^AKhtt9|%(v&id4Hcg8n- z12aqHf+ntnS9L~Q1m|89%?ykcC{RmB9%}+R@bxekz*%p7>^5E!&nC_}t+7@YJXkbR zC{Mx0iTLx|4|EU4V-gOkZ}T_uOJIwxy8iwdN)k23mS3;%WE^|bL9e|?9E;VQVEEqW z%r>>XSQ3Kk@DB3L5!_NGgDI`+hp&>1B4s>vF~BH#ds<)Q^C z;hk%|Cgg93kW>Ip=W2u(Gx-u0V^4f2{O8hWIU9(_Pmt7OL-^SJZwX0W1EB*$;)+tP z0e!l`HSL&{BG`;1e8DVpO_hmrK$yWh*7WoxKx1~?3xW9LO8k#oZJd-4)?z)#sy2SZ zRx->owW2koGIUt~d{&=Zar1Z+IrP2eVk_~d5xz409bPD_(yC7w_d+kOhG0t2IoZa4 zEptsAicPUpY*h+noKkdzM2i;Gy-@3r$p&UVAmx9z2XZWxX5G6RIj6}4;O@~WP0*Vt>homeBCH_w{00?H)?N^Om@Y{4 z%cxjy`TF?~{Hm-_vktvu83>Wds~Ker9@yy}Fm0j`yOF;ky)S2Kep)nvZOXA3S^V8V ziBFT)@bNy!PP2v;BPIvm7u#xU{L0A1X6^cC6LdJ*ZV~5K7Z_srwXQX77~xj??c52) z?d+~XOK-{AA1$?j!85gxsznC8@LQKd=nT;Lg#~qxj2mk+vQo;H0zab^gia7*2`5=? znqBrDII;qgaaLzN7xjTw^TnR$aRr>Clo%nyO46Bs&Oab0eD2a&YGDah-mKgEdB3Z8 z2swm_8E*+dtx|cRLe}AtPE5b)p81L|^LF@g<$MxK1FHiW8pX0Wr^h55&jfwg8E-(y zVD|mYkyl{j*J%jyiERDh@S*~;F>&VeTPgT%bwUk9Xcy70{!)!VKfK3%DSy(O)a)f?2y*nih;y+XED}iL^Whue&19{ykO|}o! zr3{IyAU@+Oq~LnX8SVV2Xdlynt6f10ye3RXSs&Cq-- zRWCECCsx!Rwf3P~qrJs4$~TWRbrf{H3iFQ+a@>HS-YanUgn~|Fhxo_Gwduti-}f%n zy=NV1eJ>eud&l4ITifc%h#a47i?Z(Z+Y}7L1A8^_WheAIto>8-H`{#5c(P{^om|n% z1wTJjAP}0j8RkK14lQR%GER0c|R75iP zrOpM{64)^k6KnK=McIHHvKkeLF}FZHXZrwh2Rvh?xvUJX#G!H`-c&2Um>v@OP`mnotp7ju!wb&Q9A_A&8+Ij*b7W9p%)^k;@EUaNvVt3D0cSBNljo+ld7xz{DfdV zczIE>Ia}k^C0$dt!SXL^ehPqRPZx!8<2M&NQZH<^G*$zg-IX?2fCTom1z~+_?D!$e zhyMl8kv~;=GDW=lbMhLGaJ}L`?5z{At9GwadE$Dbq`FbbYGAiwj-jQo7#Z@!;MQlL z$>fL(TiEHeBrvM-gW#=v4P>5kiX%Yxd&%-N;~ze*Rn^}U{l-={vXu`W+S<2W9reH4Ri&KHr|1Je1(n_&az4_@0hXbysI zM%?&%V)6E3WEuCNbnZVEUFuM0at3)?_OK22bzvexzKIIBjW_~cj!~|h7e9E&;7{L2=zox{s;NjQ+WZ;ZQAouJS;h^o@dxUX{a3fA84OUjHXK_w5G%c0oP>;1esk z0RCS+@n0CoU!VOQLizrG&|Uq(6ao%$@Y4MII|+)QgFnsE=3*q@yYv5|i-he8JeNZ; U(~&*{KY$2j6R1r4J^%m! literal 75892 zcmeFa2Ut@}+cv6Lk!=A)R0NbNB2AifR5}DiItW2fdXe6P*pM#0gMudX&^rW`qSB-z zElLjoLJK7!$ypT3X21LWzWrV2Kj%OHdA%-Vxn|9*Su@W(<$j6*w^ikjA3J|+-@bjv z6%}Oe?Av$H9{9O`^e}LzB}(MlzJ2?_mbY%*R=joV;%!HJGfSHX`}SQ9w+#m=lifSj z?IAqpbNjaQ8O(8RNqT{tPyFIJVvyoS( z2YnvZDSr~mj;?9tZ3&a&{~*3BZ6Gb&ns&1P^4FM{B=wjWozo#W#Ot)1ebw*1x+hcilJ#CGws9`|Z_4qxD9*2CgyFBX0N}HKuX%2auM^%GM7VV%ROXY*#38dEagdx+s$>^I(&laJg$7J2__3?=ZB&^ zJZ^4o+;05b_KxN}d?F$uJiOO#3VX`Hlqy&Ai^mRn#cDc?5}C8&>?NKY(WZ@+3H{dnB? z`VDE8s~(5@A1I2Eh*+EU+T;Yy<;m8z7JN)>Q`!L(%eWFYK z^WebUx~peiR>wC8H)T@(eCO^3i@o>Z-)6FNw@6od$?OdB0!(i2OkY+np4&Ub(H4{a zpAz-Fos!P)eKRn5^Swj-4<@gBJ*YjGQ_VKfwp8&5z4Pq>4_I>N`)77)I*_Axo#hYC z*W%}$Q4eC@YN(2^av7B7FgJbS_I7MMxkm>DI8Id*^~U+#Gg_z^ zrn;z_n(OGPvs%VajtePx%@@dv&gOsU>$WIG1&Y~Gk1+Z zvQL{x(R5DIF~1Ggg>ODCsE@1*i_%Miu1qi=w$9AL3^`~+>p#Wv_{SyS4Ej& zH;swp^{EBxMbKZwa8cSg@2J8^OPUys^-$au!63UA8u77Yi{>q!cb1oWD=+^Va#p3#QRTg{o4PCHW)Q#l76G@#jxr*14*^OxLfF?u4I4h5$fnCJ|eN9#e zyDDt2Gw~4Zo0Hz(4xrS0ab5aTwTq2(u(FytTU7q7lOW|-?p*3?2M!!S%@(z*G7>+^ zcQ(+1tF^tCCq>#lR6ViTU_*q&WSnUyEn>aFtZxAw23h|gdZ}CU4{h?qXt$y87(*uz z4%dfBfow*m3RF$@php{m(CB~?iTR8?9aK^sTcS-w?ed&GjHV2klCsfau8NWlFTV@d z$5>QTeQHOkUKdJ@%v>eRjfE;F+ErS5HgJOD^D3=~?EI^Pm`BA(2)?fjm6e^R!k)5T zvuGFZ^BcLGiWBm)OclbW(bin{*&Jh3TdP76It#7gAm7aoj58g=Y9gBp&ZE90x5~Ae zc|q@`nwlC^`3%K3soL+yEn^K`6@^FKO>t;2DItycwH@Lr`W->!oO4gb|It)tC*!+C zs|2U@$kZfHPfvZfzQL28U!Kem4D1SI19?6!%JSpHs;%&?_7HxFGNpa3WlNp0wE~8Q zKH;IM`Kh5)=@}!Nlfp1|oi?Z3+0sEfYz3xhZG>I~t1xoGd*K~wG0bZy3XfQLPvMWz zbHd2gN-l+mB{`Bz1#LnX->^$q=Dc)3Gm_Su`ub|I+6EzX!i=s$0g3$Wn}*o6esW9v zoLdH!$dML*WvAo6txC&&KTFVvP1&$3idt)wEoFSE&8>#BA-3v6>QdCoi<#y*OIT`( z35gE50=*X_OdOMf%F{b4NXX6vsCk=su9z}JGLYPSV;NQ#{QDNg=F3fSND={g8vN2g znZ=3$_r)KI&a2`!G+=$fu=LXZ&DlkM{eVmzjQf-r8X($!dlI25Hca$NE`o?dJz?B5 zK5uK)V?k(%uGFdCocI7c&z#Dz@aV`Nh}4q9#mMG|y zhSa?^)oX?8Z52k|4f`YT5%AmF$Y=kcO;Kwn0pm-;4Zwj#z+u57xL#aIGPr84(ps#w z&vI~mvn86UizEb>3kX@I?m7Xh60bP#x4L33&Pp`Q!;NrC78Gri&g7-P(QR* zyOs-6YQPCGH}~j(lOb3%7zWd3cAE!--idCEN1|WqW~{rweQaxpO&#)#hJ7_z`cBNf zts*m=;7n?1X8ie$+HNgEDM0+wWPs_t8b?kc7M^{VEm#{i zPc6ngVN7CJ&G+wFEErD0`)YFMvO?Eu^7Ubscq^8Mwd`;sz5(l;lE)@dec?TqQ;ugf zl>0h#Dxzq!rDAglE{ERiX$7<+3G;5)1c?vFvqR$SRv%AENzD~^sbU3F z+(!dku9XNvUGSJJN~exB?Vi(FPHhsxK1-3QIkZ&vCMH>34UmR>D zJ`17HCKJHZ&aMNNM%C0os-I>Cp%LL~{RsKwo+LzmP)&XOW+w4-Mf z?p7Bi$kBj_wT7%0jkH18@mv#gJ%W%0B+2J9Y}vPmc4Xagqk^>AjyrFkA&0DYE<9_v z*cH=36E3}>iJcHV^L*s>gX3w}7f?O1B;b%JCM&%6Ugb|chxInnVEt0NS_1FELzc!E zPqHiOKWUdDZ90EpX5hO^6OgPcBYNgz2#ZE=oRtzwrwPkPoh%O9@O>6sQiQMVcf7ya zD-Bg)AZu0F?lLI1k*TwmHyacA3b@BpF)TNNCOx{L=jhwZe0NZfXD%>*>d-f-?_JKS zmt}ECD3ldsntX4yqMVc1t%74b zLYb#VU``jrc|pXGml!PDDWEh)pWgajjLJxTw0)F1tG-VfYtA>&8DD5HEuq1 zOc}cjUU-ZPviHs$G)uJYWX|GQ;G>#KvU&<)Ih-Z{t{qjr$6sSPUXi0uuvk26+ZA>8 z9MxN_^8MhL7fTqt|3CM-q2k6w$_Afbbc563E}Er4Ggu!cLo zCuhI!A1WBkSDJdU*H;_s(PIv6GQawF5r1*tk zP+s-Y=aqmf@rxT*?iH9c1d0|o4wcnvH8nVli8HI8W|iCDfLEB234lQGgUH^1M1>2o zWS6M4L1|-jJzXDH2b|i!_bZ%|8)cKs4!3wAqs+pPSP!D_pM(#)A!`^wrjZWEK=b4@5I71Y3qEE9);X1;s(2e8$ zSM-Dj1d4fIw0|s!)(cJxEVOh9W2O`?tbdWBFbT=l&)8hDa#*??em}4t4HcfRHMsYy@m2@ry&drFR>O%;vVBouSo1U)6R4m_SEp8B z#|d>iJp!v_Y3dzNdLY%Oz&^yh3)WS|EnrMC^SsA0AV%SN)&v@6zR_l{V96KZhYDWU z2kZB{A$__|X7l(izus&{Y%2Sl;~UP2&s*uS($~9skv^T~{dFibD(dXwLei9^Fri6a zD#1vP^$=0p=SJ8XNKbQk&^#9+?&|#sa!Wbla@!QW)_d*Dmv!3YzG{@hM+uTgdp0Slm!=24 zexcEvd!FE`#RS_B54#}JQ?EARQq0n7;i7>up!-b#997XW)|VftKQGh{hbCUo53vdG ztq9AcUWCsszR7gcQR56OR4Xx)XSr=6+90TPlT~gqSkUwJ1{1!?ibbxg)WfrrBCA6J zQ1On;q{eDm7uLu2>Q=E((J(g;G6meuZK724JCH@#vO8vY(lBxI%=V)WDD_aVL?KJ5 zslLXLzk+MMW+I9^Hw;en)r!a{@h(l6>5bAo`L;wRZH@xGIr>m5_(H&Puw%9NRAVx^`q+XnB_go`OTe{+qjB)S_54-5%pr@ZLrl`_W^_7FO0UB4) zG_W~PV-f|QjAEVuSJ(n~rzl;zY>txyreU7TYg!RkB5t)xSW~%zhBU!tNISgejnUT) z0sbwlcF?R$`ri!AE)L#YV4X5$QsHtM^J~&v5X9NPLA?=6zM3h?aZGc%c*R;`xA#I3^ljh`w^akj7Viw7i`#8*T8?{p?hoApWLyi;2&ahxw9i za~ugTD0N$3uf0Z~GhN_tw-E zv)QZWrCg>#N6U0h)X$J#E4cX3n>^^?C(f*Km8dwQuAKJ8cPAmd^mjn712b>);n;eq z^wfR!hfvakOumKm2!u3eTdEmo27Q*Jx>)<75hqfRqG}yrN#C9!XFRI|;t3ct2Ouc%+m{Y&AG3bV@v(^ z9ObpQPl7E@qiN{Dte7;JLLRE)i}68NAIUo*83{H4D} z2#)<|QSqw2eHVE zev*^dViq^??8Y1PrUrDJLuONnk_MJ!;@tm*0^q$;>vkceT|u7-9v;`0s{2kyT6{ z)In{fl6fLj?w}>83(IY5e5Os)(d^3w{kFkLfaZ3gQF$a-e61+UMc?G0d=fq=OWwCE zM!~V+ef6Ti+shyumO8l@1U>jcPwY2cP8O(w0I3q0XQ4EG0T83l(|cW{huVVS zwnS!Dynauyy-$ds?HMg_;}PvJ?yu>d`nTWEjjl5*dv64d-{e1LF;1*lB8s#_Ru=?b zuiqICer_p2GS?0|*2LUvDv_oza(4xf?5kpay^OO;&=XI-^4VZyDMnymIwD&q%p?#- zD2~zna$W9bLxLz{u3Sz1&29(ZbY#0XuFJ)OWfWp4k>FXW#pbrJ^{Cs6K!E40^a;vq}vzqk)}QAT!hq84WHh0ZgUL=I87MyYlW=P~= z&0BuJy-0>`ctArwp3rZdl0+1Y`|JN2%GR(1h9zK zpq(mzl1R>)#&ZpPP}J@4Qx!Sq4=v};6tt%1rf}1!kp+hHGE)mXl&?E7YUqqM>*NGc zEiN9N(w#1kXQOl|cwx0di8YPxrwzI&Zxf~4%r+7h^C|#!s{>iNc}=v}C8`?%^%T7m zh0sYx%Xz$j<;RR*B$Z{Z&`Uu=tFRK(LndgIB1+z@C(%9Lo`_3KJ3LV57s0+AXV z6`^`YQCi)o(33?)rLVHIuy%Yj2py+;Tj;ZOc1cj9a(T~U;Z&i= zW1V_px#wg3C|~!UY^&_@HiTw+U8BBD)d}uRm-~W+6O%Li;sfo8$j!<3BcDH*f)W+J z$#@u)oahnknJ&u@0hC`mllo@&^u*6$y1h&(jx@|mCZ~Jg5N!5owXDiw&%1d0?1T9? ze=33iNWO9POZa%J_u)j_zBB13(k|$*er~+dq@_j*puDDTGNTy<6USy|Dt@a!`bM{0 z7|KL&6D;9UqGlZAGnv67Ns#0(FAl1zWCzGU0u(AKS(8i9!iJAg3TE}1Z_sdrWKCIu zP#+6~skEfs9jVWxNA*?@40Qq9AZu`ZQ;Y!E)VbKi2mW@T~u~w($C3muLFmq5oPbbv#r5AIrh%d!~q(B7s5z4OmvV^AeZ>Bde3f=Wx zX$dmg;#lkU&v`xW#j70{fKaUqhNIX@J&@HSB?ERjXe&utO2$t}cX3Y^PgAd|xl-jV z2$oP`gIiYm(@I|62FgvPVk{+%7O&Pqdo!=_yCm?jvdIZ%c^Ob*%%GkNFDld@ zyv)!izQke3cZj1G84#|qcow4?tMJ}NlQl8{#Xm;RBX>czlS9s<;k*!YJC7VI043XD znG5CVF7*zqJ;|1T(exsBl5a8>KiTEVB0suJ8Fqw`bEA+OE-dGj3udiib0W#7OjWKI z2`ycyX8)!6KdQSAct6-U1rIpX-fr9H=zo%u`E@VYm!L?`DkmwJ{+O*t`b#l6(9bqX zl<8ML1ykqv9RvfganVEK zwpOBogR`6|Cj`E72-`9!IguH1p7L#E^Q6-08!dnMn`k$C`)IuNY9&{!k*nT7y65B2 zn~$WY4vx0#Zt7|L?yKR|IS6=xI+8^vqBJ`1`P0WRRAXx8zO|&`M>Qw?rGv`@qzo3# zuM%_qG@Ce1G6ovS=J{@+L7T`EqSLR6msQ2yKBM4L6lk^!>x%zC#;0{fZb)X->}%lz zr*)+y(ceVJFxy3sE?c)DEY)wO*cJgfDb*EcinvrIUH$Fptws1^OBNwK?Am0=v!{U< z2F!l4d(N@&&ujHax{MrH%t3m$nmrA5NmPIvOQWp$)84oLn`r?a64haDcIDrwd}|`k ziI2uXWy21AdmCCf0N2Ss{g5+%oH)^zN$tA#Q}+4UQDw-Fbdz6DOtP!Q89MHgiLiMY1=$g0TaBdnCdq)H4 zjQ(g&iV%&wQPFB^Laxh0xf6UCp1g)VL<};j+;0#I$`*iez6Yjr{Szws0uq zP_TKkgd@YAEs&M1|D6=~vKsXdk3R*>@lox_NTnXB zu1+(-+;-)^m(&ef#P`*EILXfwir0~(eo zB_01j_1werwl&n@8R56%AbT)4M9lCL9f8J2yXb$W*KQ9!zfJLnad`eZ*DEW1p+-uZ z>(NKotE2ua)$?C4RGYEBuE8?reD>9~ZbWwM>%P}nf`cBkR)4W*0IkgU-RS=bdffk( z6!(vnYQJY1BGO=c`{5j4W8*8WMMAiLpnCq9=WT1KX$AynR5fZ2o$UbQ^higfwOjoU z_1f*hw<*3=+Sm7Rzv?sMK!!CH9kIq^UkdHD>^HBt$&LE{Oa|0KtcI7#h;tTwC@|t`~nv9|UFYFqXHuN3#sfrB%u6Z?E> zYFvtletww(?E};QBU}C_Lk--9ilAk1cw=(jcnC32GW+ilfS7cjKf8Un>#ZXHZ(Wp5C(SB;Y*9@|!`3w4XPr_U^h2UN!XFpl;nS5i1 ze~6C!e~aSIly+$UfRXBQsCCO9-qSCCNa)res9pM!OZLQ)ci3mmu%~@^Sm|3OfCcfw zw=njeIcL7@)p}KRNND7KWUA%@xpMFAGW?^*^tOmgz*MNBLxj4L;NmJp2zLxrX7oOC`kpYq3 zAL8({TdV2!m4~;;)ZZN8&(E?KOl`RWh)6vbv7|rtY9_|EKud{4HS_;lUHqOE&Di{$ zmofdZ&86|w`|?t_I5=#%O$>pnxHu@RL9?}nGbogz+mJ((3Vo-;E`p-Ra?yi7$nLqu zt~l#Wt{d^f=rM{%2~xw>)C_dhOr-Nkob|cJo#}OAUN=Y%bcC~H{u!`KXgA5G%%<1I&PpMQ`dF%i!Ia*NpoYh zDcZUE(QOiIo6hy&JRpAtPX%1RulMx^=j?ay-WA(?EkU`!eNC~IR|zw*Qt-hc*Fjqp z9r8N21Q7qM2qa|bi7vbjQvge?PCFy<^LH@F2eHXrho(}s?4_`l?Fpsf5-$Fb-Lx}V zz%#%-O0~;doYSR)3oRjLGdP}#aUSez*8$6>6>t+{?8wrjFcipBsLl(*+Hd7{d5S@X zfoNc?=XJLsJ^@klnnUOwjC~EZSJb0u*mV#Z1{p`9=M*Nd-Yw5h3B)G!RcApA^Nnvv z446%Pjz*<;&1d36%5_bfM8!U|?0CKEM5$j^>zS{d*quy^oF8+T_r1VW7sFa0W*kN& z5=Ao|Nq8hr&3c2pX1W<9h5-l?d;^3&3tJ)xj49eVy6UNu;XDuz0+9yp4I&WDrKB>? zD>^-_F>7_Jb@DbWn}{*cBpiQJvpNE2cuO5!He4zWqyVKVh4~C2VFva!xuK*Ln3PTv z*cHeZNOed;>8ru!`+0U)>MI}z4;rU(V3)y4Qq+?*EK;kbSe@ZBqV1zgH)e2Hc#ZPG zkc^Xa0>Xv(ZcZMzcb|I-TaJjmpswbD`+ibYrQK(~2)%A0R_HxT@?r8pHG>s(j68Pp zwYHdQkwRU9aM85cb(-DR3{zZK%4q6grwlsH=uuD6<>3V+U2m2APGc~rKt!phXd7x5qbYrj9I(-5b*LL~5wNxWp})LQsSfOZ$wa+Wp*+!_D~ zjnmw6luSge^f561Yn&H#9~7Lo(X>3$`RP{h;F^$ueR64D1P@5B*4smLD#@u!r`A(N zBU*C7@8nw`r)>5P=@RJ7AP~p`0?+ZcCLwFZr&>E+Qrtf z&ax~HjYOM52SQYa?p^o$A`@jWsL!gzE7g&D(+^uQe4;F8E)fB~r@?NNSF>6f-rD(O zwO=^f`pRhdSiA2#N^Eg=lBGs|^uMX;}h+QW;~>X1Bh z!_+?|XulnHR}o|YpmUr<)N!@;naar;ogLDBRA)n@TX;W+Z#zwt-U*BjRppYaw)rZU z>t6seZaidHyYc*-6!gHhp0h$e-X5G(TZ@(1)h*&Q$oR3RGew?_-rr^AF5DMAirVb` z{^HI%8Vor4_)9}1cBu82f6(uLuP$}sfO;1ijhQM;(`X?Fj=YFNViL<9r2|l7fp`(mDMR7y zhB$MwZ0%wG_Pmc1r{Wm)`wBsu)Omon>c#?(q3<9Ieh6Ob1%-Lb^zIIE>IHMtl;PX4 zw;oCB98*DAY5-=Epf=!GDt?86OUV7Cr(YHZ;8g6?FLDGDchc+nl!MOL_UqdwO6yR_ zjIt4JR5UjU*TTQ7<2OPu{2fLRYVr_7Dso+tdM=sshqJy*(`q)^sD9iQVH>~rzM?>G+ZN{%eA4spz;l8DdJ=&Q2oG1jkk zpJrSF5;Ve!r&3PpH+!TB)82h}Pn7gHXeM6_Q^{=TOK_nUjPE9@8e(h^jHW5bZ^o7Q z`KqkcD)tFsMv~-N%zHzOyC^kgOt_%KopQ6WE8ZRa!#yBXU~%Iq@mRhb`GoK>r5iK| zvK;lB8zGPH+-`vHvyQqANq==(vsDMNUMM<1+Z#=%NuHdQQ|%+`*V+GicmVmF&Nd>3 zTTlN3kc>Nm0)p}y`W4b=H)f}5UlLc#ve6R4Ll1NDe1RSJv!M88VK6Y8=1y!VD}RM2 zB+}_TXCPAdT4Xjxd&j|mMJVSI`!Z8veBW9Pr(8(?nc2J*(AQVRGFOQv%qS1J^ci-- zqzI%y?zIxQk4EKq1ftuPyLMeI)A!qC+UnzN3Xm2)2Dr=UFqPInf2-o9u2fS7W_klJ%f)pzfN)OrB9 zzo~ZBi;XcaN`!%&k4DkS2xabEH<`idTe~VM8@q99;wO=SpJ8hjl>LrDxm}@R^Wt}l zIvVNT!ldRFR`UJno^2m$yn&9y7RNo z7Z6!<7E8-#E1A~SL8O>1@Ev1DxImibu4o;@@WY33O(8|Q!Py@V1y_Fp{WMaJo<4Tf zu+n43piscJa&ffSq9d&mOAn-G+Zi}m&mcCS&Rrl=cz}lchpcy-45xbY`w15ESQsIG265PvNSb>EwbWAs7 z+ta`+41{7#PWm|Y?yT5PrY;=|1g$uK3UQ6!(@-~b8c_8U*IM=V3J60c0M20*9(b@f zLc~b}Flg;Ygw6LdL+60H_nCLi{{xF}n@xUqjS>Fh#d+e(IbBQ1yDl9+6TsC-8)>=M z5Olr3(Pj!xw*e&%W*Riw89ScoA#)pJ(hxDC21$M(Ff^Uh!ig z|J_1ey=tc}_#cdXht^(F%&xuk?~OK3anY~U*!Az+z6$sqO|BjPi${{59gr|iy`eue z&mYux>M~HIg@dhY57-5OcuoM*;y0gD_zNX()m{0|D}J(sf3r}2&lU+JZ!dWF><=QA4zHUlgJ+B;-f#T~&Bbn+ zwJ)@G;o&>`)e^7JQ2&gj<-PiFD%lMv9AgjzV4{L|g&mn!Wm^p0hD97>*LHYs9Sd+4 z*!)VTcF{q+62pi(d=?<%P|bg)JBhfv*5c8hEb zun5k(IOVDfOJ3diz`b$KXQ|3PgFA$8rQ7Ab-<1=8iEO?_<`z=88UhSLzdeYt=N1;c zV;yfp{&}?JxP+3vTD}=5T8e7l)>j+<87~IX6KG$+6dN?&CXAA6ggo7WQof|ryW4>RQJdzwRpX;{ao+2>2Nj>8E(q zrU>hbGFq!_XJP7lx;gh50e#S%XQXj2XlEnhZUfmTR1Vi!Kf-~NSvDys>6Rx>rTf5PzPB-K}211!K;_m|};PMRN ziI&+^T2PxZCq`Gqs#1OT6kTB82o2eBU%;YWV3bl9xwdwpwO)qKRr+K5|Ne0e|~ zQ|49`0?y&Gzz{0yt9BaL*SjAVxuw1)MgB6Dm5kp#K4clhReHYE9i<$Wk#f0YWC33w zbcXwGoDnX9`MH}s<8LC4P|}j6qo*8uz}53*>^d*#(#O5r_Ksy(4 z4IbXHDHj-3Go>>rcr5{`5MH>p`MFw7Zkdkb&MKsIol7_0NI%~Qi&5<93eazcCUWN? zM@qeAt+7#MSm6himG{Qn)+C;wRtNo4F1P>``zEZ8-1+amZReBCpCB87dShp7^UYY~(V0A8z7-artc^g4oNsRB#9#=xxO!%W6MZ67 za?+XuGQcs9>0U{|^L0VohCICV3%oa;vP;kbbHT7ABmWBWcxbNIryi%=Id9TO4hjuD zOfT+`OLTr^Zb)_Ui=rRkUP{rskON976c# z{gC)SbhEf7;7Bj8PgV;2Ap2boZ9Gr0h0!^Y3JrHP58kRno}GD#n}+(n?^?Jmy!)~y zP@@x4Sr&5QW!|o)BD)92I0dlQT9)Z%m$nHN@LapEM+n1gg}oO=^CBKQ` zq>`G~Ok@|0&L)=+cG|S-p1;Hu`jrKLC{X=~XV|kj7Zo1nU7r!V{7KD6h<@|MlTHA~ zFX<%$*`t?y=A{sE3_yvrHwRXcJcNz**f;j{Ysn=hu1KH0l_Ya1r`$@w)wWW*M)LAR zDTgYE&E^yI@uRH(LK4r7*jy?G(7m@nF1M)9Mn<}Znwpv?esCmW>vV^b;3QQ9iNILs zdS!RIF6_qRt(8S?_jkDs1Nl|mFB)JF%gwYu2zf@?Ye3eq0w<=Nc^H7zu(j(n82_1h zRX}Qik`)5#m7}uZwQPo-Umsvymvtwh$Vx{ne9Kd1=LU$zUO^zP)Me@N$j}|u;53rg zd{1{Hs3^|E9c6P+_se{sAbp@iG0CxU9g|nNtIvcb~ESVWVbduE%CeN&g$(a<7ZtMOWn+o?1r55csO8{ zoqH#ELt}645?nkVr(f8l%?2cJMXKk(xpbL~T};C432=^V z$|>4*D}TlxyjEcYsLYZXGO*3YI&Bx$_c2&8Oxw_rudj0M~DKMv<{=?jW z?P*6kSPt2l!O4S0t0Y&3+Q8;Ea0=kLEp`6t(d>^lGZ{;;j_K(N75aKVa^<;jH5(Sl z6Y>YV#m(&E-Z^4Lm|8EGES=5mrrOa7p1d<>Yp)P6Cm{kutF>#xA~j=kB=JomP~t>s z!1xKaD>7yMX>r4u#6E18&+I)^-GMbYEg!>);$2D8;sHp~$xSZj{oBLN@@jBk_8!eo2<<5RiY3O!m+wM8N`7SyFD6v((4?3%r-idN651o-Z z`Wy&zleg;=(;-(NAoeiiPyySlgW5lGe~ktF zTwx%=pwmrc4dHbG_dzO=R!T*PlDx0N9oAJ{P_`K)gv`m%I1OO@1YFWq-k(`wT@)15 zS{n3Fa#wn}9jmuUbT8Cov5;f4WXhz*n|ppAov)_OOW5Jm({BKLkKF~ktC~5hywdBN z%%=?@YG&#lVL!tgsxCrxoxbY0=&nP+Oxm~xsCzmMR!$WXJTNtJYUe$5;V$4{~8{MSqMzJLb zTQ6|UWS4$LrCZ^6=*ZS#i@O1kx!I|~*Sq`}Mf0LVkPoN`&@T`Wuh1<3RHEq6m;Y8T zko8sHXeDh5h6Fp?c@oe@{03?c`fccLB=K6Z%VcJQk4ummU+^}1`Gp1$o`w#IhC9Bp zI0RY2Z3h+$eQJ^LH|OH($o&eSx~+$kfzn+P*p-zxAfaMVDC$qlIcuk|m62RX*oVN5a7|S@MOO-`A#k z;D8rg1HEu^bI=P7sfEnyp!=@FczjXI9}Gj>B&CQQYh4>t$?>&BY&yC_8kV|>{=Q5% zZyX$Ql7L6Nb!rz$x1(*^oOi3$ldr`a+Qad|2YcQ>qd+?y^VcDL;OrYev2wa8lnRdVMS68| zSIs6diBKy>_^b`XAR#gx9~fMXJ;&(4;HFSFNg$}^`c`35OQg?gp8NsZ(ywMHkiF-v zVY_PZ5k~LZon$7oRF7w_ zVu}HkN<=ZD4aYXF8dY2R_ynCf9x@qVJ@W9wakT4LvYL|$eETFAb8l50epWSpVb`T< z;-}DEJ@$pdzxP8XR6E2w%H6@ATHpoCO&0pJ3vNShoj`Tgn3We#PG%!{3@cfNt^Mg| z=1%&Ko1!?uBG8f0`$|y<7(E|~Vm2vefK{7XFGdnis)dQJ6kzd-5D6@Ye_xfF*xU+E z7bx$G#m6FMSwFPe0ntt?F9{4WTOmo6^95lZ&I!}r35_H`EI`>MHY~A&T&4YKsu2Qs zIj`Xdv4%4<(VRL^9>`+G$|miFc%#kH*ghA=&2Ro)rVRL}o?=v*4k3%n6X~`3eKi;Y zqsmFC>6a^=u{GBSC^eE!-<&7%H4!?)KeEw%WMRjeY@q}+T@lChq+KTwub`j8DBuh3 zZA9I#SRFujM(Y@9F^)FyNHWo5CwPF6prt7+{=kWT-}NsTk2SH*Y$L&_Fa3aN?2m>O z7W8Nv^tJ;2yDC&8oxRFbl9v$y;!j`7I6n_KQFG<@(fe-t_P7|>6nG@eZfpW|IF)=i zn%`m-URzv9*Kgzm>ZCYuQ1SCEvC6G`lYCVbQiU!u~uvd2H)S1t~d`2+;e#Y0w?BRku~ z<}`&vI)wP*4-yb!wI-EJ+7evta@Bp3|4G zWDR^+4rs7!0LR?|3kUuOSD+peGwS}`ifLyHiqr%RtpR2BPLmL#amf;zXbaRS(ZavZ zGzTRHw7~*)E0vg4ZRtjcTWw*x8aqE37}x0wJ=9|nj?EgE(J=8Fq2MmhSJjkxKT2=! zYb|k;y|-rLJuPDB>Dy)=M764}I5eSmr7Lywl~Vp);QuyA6YNTTe!xJeZGAYN1A3!D zA$3YSh*j9S=7R6$TGm>77PIN;=6D3&7JEATb<>+vpH-1a(bSj^DxS+XPI^mwHX9H# zLm6!p-^diQeFjQuYqML7671DPDpZ+#7M11SN)Z>;u*CcU;IwCrw;Eybyr(qJkTeaE%5GXhE>{+5Ues)R{tmYHw3hWRrE~9!m z8Iy?*E(fagT#mB$K@Xy$kSU@=D*%6_hgfw1Cn;rw80rR^@qR9Lxxd`LL=JSd{(=Ym~rS8D!Fb3n1ww-(i{Lqb^25s2Wj>|xq>;0rO}VJI*}`G*#as+~aM+oM9$8`A6uj z%8hRnJ#tKb; zEgz2<2(58?C|h}dBWz$^{>Z_}syZ3#k#1jvrnS}T+L{^#kUC}hOL3h8P#wALsut!u zA#1|bd#g+Q%19|1R-0gcWH+a_Yad%l0Pzv2XTvvO3Z zYMZ`(J`W(bdB*_h+#@zsy(67>**Or|od?9vqXGwKnf5kRT*-f!mr}m`BOsT8$WzysKGKGqb9qlrN(KteX7Q~J{(uY5Dg)16 zJ%`<)wS9hMe)O*WwV{$@!TeoXI=RVjM81)V+!z$*>3B2C?in!)!u~LoO();PIyn6H~>ZQ%)OU2{K zq@wr-kzcRz8{Ao4TURt&ji2(EjK|mrea9?|^E*CG@|^i}b6?Ye%d(Wx`}Q9^C4KRV z^a7jGyAxzbFFx7_{PnW-(P6up(EN@*nBF@&vg;^(C)rNh#$})a#D;rcg&ELotMA8( zI^P^ijqKcup@$zT?Dl{3h<5*DVWZ;9L0hA34f*EM0&&O#S}M_SB?OugxO>}!1z-f? zm0#~(*?nwW)p(|xqeK;o9)7tqKJXGLvV-=U8R|#2X1euCg-fp}Xa_$T9r33WE<9`&#GB88dJt)5sMrE7zgbX0HkA>ge{|V@yN4 z?HeluxgRgGft~{vm{G9VDAC6WfYo53FJbmx=sHI5Z?8H7Tc~ceIQ|d^hE?;=0j=i9a%-ijxWU$n&9obi7<~E zPfEpB7%}}4u3u6T;EJg)v`KINl33y8O`j7fb9I$-_2-htwLq>k#d$O-lSyx>?s8`y zN3Jm&SV9YyulX6bT8hg0u-ezqSxU4E>{Mq(hS}pw8uF0m5G=cR?Mw2Gs^IyPvlv*Q zVMr}|6jC6?;zYoI-AFVR*0oZ@M_hpt4^M9ldDtz1MsPJ@Zb&ZU0!qqGe;Dd_rYelu zimeFmZ>KbH0HPT>%s1t6Dy*pQ{6BOt;y^)#uI1WJ^?jf-9BA;xbw$LDSug{I-I)%* zj=Wn2x1|AkbHuy9TiIqxS!!rSbQYbs4BWVg%f+HICpSf$D5yKdiFV(6qq}{9m*8im z_t9d&uN$|Zm;EvTGv`Fzyq2$^a1B9UR_rtEi(#JVXpUFD^=M(J2hiP>UYf7lxjA&@Ggm&e|Rb9FkU^OyFN)?oJK_3ou>S?`3noIw71wg z=k1U9$a%RNzn;|12~VqEo`2Xn13cf!J71-hmHjr;R=2%0;Ak4}d|=bgjnNV+ywitV zWVdRxa*^S;Zyv&47MAjwH<9`Lj69!qUwF;aef-u%fveBWJ;n*o*E}YGkbN7+t6{$4 z@qq!(t5riA3Waoc=BK2jB-JKJg~c40+BRy>=e{zPf;P#r?);e7yid~l#PeS*0D(Z_ zCun%>c)^TIgk52=*4;b%!O237b7JEkq6p6pGi&6A>#kXb+BHXv&CJzFI7qqaNRaW~A~MQ=eG8P1Mc!YTZ?dR}<40Af`b$(1y>N6gTKHINNNJ_H+{~J}%*vn9XDfpXyq@nVa)= zpAxt2{L5?mTPySh$9sAUpI$T^M@2JGf_6cNwsSnIsYI7qir zh^sZ}%|j!8>Ip7XUzn}GN$RGZ*e#qsl`AI`z@jZ8mZ`xfwe5jFQoq=@(y%$#)|me# z&*F3Dt~lqb=lV*zC}#%70uINW8NY`-IfbjBlUs&*iC7z1*#xo+3kVy`jN8)$h~k{kyu>tI%JFm5G`kE`#FX<5N*3C-u^$DrN?)uQ&5H^2{~d z|9GM-xZvKUa7(_bof>6Xa_}iiAv5UZ{?(TdfyNz>7T&7UW=N7xu&Gk)lajrsEsc(75a z9~GjT*HAX&^wHLzgF|E^PE4eKJ49UWnmH;cG|I&97 zc&WjICcPSFJd4PBeV;kSq%1Mvwz-+=O^ZD{2Q zQuh28@&D!u!7@4l&%0J5LWOcLzgL!m3y7!1M6>cg{7e%Za>{y&^|!UTR__g5+u(gm zg1?`z5_+cUrsga8N58Lu`eZ=~WQ40V9OLgNT%`ihBjL^9zu$%1-~}MX-fa4)2mRxc z|NnlhU2KF~Y|oUW>X(qg`7HpRQLt)>E0BNnRj(A`k8aI;a+>~f)E+6r$Ko>ZVf9B_ z{22i=rmr}7KbX&YH7z=Af#?)Vg?#Zpbb3G#zm;tW@moqB8?+@xeyLb;-yNHI<{HKI zI{+`=$1mPYR!HL|$=Ko^A_Q7P@gHanS}X2eGs|HtUzEe`-Ms`h{6DmJZ=UeNdymwX z%$8718@Df-4p|4%tf&|iAu6x2y>9UL>$HXm)Y`1)|sf<{Cio=Ff!) z-mY!u!Ty8b?N_?jbr+uI&l(~=?O@o(MFT0HlNA1k)Gkkcqv_7I4GAinkv^*bBk2F* ze8&H~f<7vB50915FM0Ixl08JAGsRVt@k$%>>V~9ZDjFp3K5s>38=G=E_HNhsDjZFq zO(&0TlyK|<=400A^A7&1>^9y25q zkWusbzWW#D9B5NoP2hceeE$0~%YR+yK;}2s3rq&+(jo-Ws(ax^$w@!6{X75nl;hgm zP^z!hd@d9ZuUb<&DQa9f);TV^XR_D) zI7TuWWJofIe|ZeIONcn)%xx)T;R2Bsf77nJqFezR{r! zlbHQAsBqLq;Ku*9)Xy%Y?d5Oxb9ohuovnRw;^)+`ua%l(3A3CAIc}3^#Tnii&e}9X z`sp`S-5E~;`6CSML#24?Kcf2UZay^;ckt#ZOa}5i1Kx7uNxXPrNqZ40W@sqJ9z}|B zqtw?B&i9-OjaIp8SUqPzp8kkxPS8o7gmAv~=iOw#xm&HYOL(XdQk4yQnBZqSbctg@ zp;U}@50PhijkwEDKljrI9(@#T3^nb@(KjQc+QHk?0~uI}O-tmZZRFEZ#GipBJi~d4 ziUh9-MrR1lNUIxRn0k14Om-p@z?EUX_+k|uF#LekaodsAc|Ygb)2tTu_8d{OzB1#2 zS9g__3dA&!*^D3>C`H|Iy>;`~@*@7BC>Lz{oIY8(a_N(Ffq-4_wW9qL`Z(>n@j`q~ zQ-)wwvqMj(-LXfOrTrd@PU{Vik_R=23V1`1i!G}P@~^J#QT)@FDv0e?R$}9cX}Z6& zLeHhGi>8f7<{u^ zqiY`VDatsd5M#}=X`CCjy}@CU!u$BTRY^haKh$#nDB)}^^~C7Xm(ahuE*O0sYqrf) zS663VEygsgjS$pa6L6N||5_3$jX>p*yA92SzhyqiO?gURaw~HiM_TU5X@m zbQ9B(G(I=USumka3v{t6EJz3sDLHOx7fDENP(_?mw{%vqEcfY9=1+rUYP7b9ou1DQ zO)|_Q@evtPF*;KPoiR)|V-_|B`yQE%lt-ZB@a`o_g>iP2+M9~r*InQ?B>Z*jZV7at za-86xUxd1NeR3t_U<;bl#!czax-?*0Ki(z)RniEd8pt;Zqz!br6TxjAG!y0Wlz;d2 z!`$#PScxrj(QeE}OA{Chq&nF%-U5DMcYCfqw!{g( zmWZ(X=dRq);ku<-U>dBPSwVY|fPvMX^8MAowTU{Bb6gh*m;#8{^g^|VN^Ao!whAbz zw+cRVkfiAQPH-Z$Rtb-3V?Q_5*x;e7(@l zY+cQ;p5kq(S7yGv>#x}?^p^+s^w|ArtGSRGQeOlVBs|da5%T{AjcDBJa~|{wU*;qn zB0STQWs;wblploNHtu$!r&ok%Z=b*HAsO3W=2&2`DinxmU!L`b=O)+Z(4K8Bb>>8u zQnZ`@oH$?l zob+Sk1m&%Qgr|LCgv|M{1+!A!6_Elkfk@MSUZCv@g%{={jktd5%tzw1&^;g z$D}ia5QgmIwj?Ezs&7mWACR%iMO&@Cdm{w0-$%)BG)ex{bW38ozPV=EP*xBP^Vnk>#n?`BJ${E84W%FyfuhwKRS{ z?iTuM_WEb0j5y(UrEUnc@>YrYE@&4WJIwHPWT^Ax*sW6f9>L^c{!GO3?N8YyJ~K#l z%CoyH_G(M|QQ>)b?Y4`)TbK>~aaEu*_pnJ5E~JwCkr&5lxpXfEma~Z^Uu>|}r6k4i z@RkXHO5OG(9=N<9pK7aLLGyu}Q-oSNoI=y7sCu)Hzm))K;s06~%f54O%hh;l{X9*> z)Kw{Qhxddl4v#fTH@4z*J02LM<1W(8%@Q4U#L1;$UYgb4{xN2;x4$r@=MtZ{+yd#I z_`WqKWBP_`o1M{FXb;WUJ0j1xC&Wg>VNQXFYuT~AvL!~CT$$3U{9YZI3mmIx^^K)4 zA#Hc=iyxTwYw=3WkVP(1XEuxK*Bj5*0;PF1BH>(M5527y}0-BSC6(ZmZd#Zz1LwG&H<=Uo{z+MaZ78Qh!{N=p+;Wyy7AzE1Wvh1+EWSu!Ot>^E zl|YU=97Mp-T9rPDXOBP~*xSL1bkMIQDV^1%G@H+>3nxKJ?=`{7z{;Qos8~;i`sCLS z!%RNUrwRpSMCQ?J}6(k{Z zaa&;Iwsswvap(~6-f3!k-h-p?e){z@A7d1VB?2^|rp; z*^1=d8S3<+l)>G3jG>`rBp)|Kg~*^Sw+Z$upmEf>x37isrL z_@p>Q!lZd>(z2d$*==-qwu$+Y4aHh>n)TgoK(< zZmG}An*QE$#iknoKIVU=hE!)ed`GQEOnwz6!ygFPI+SIOI{~hF2@M|j^iw%)1T=J! zS#Yo&aa(vMXqpz9w1#fIN5@86Un(#*CKVWUeMtRUPCs$!XLs|JFbV*lg>L;)f?D5%;AW3%T>BAoGopG?;CMnt(KA4IuSqTEH z(}p&PL!Q%CS5FM3sFmY7t^P;pi4Xy^d^`ez#@n zf@2~2QGv0({NkpEFsY6h;fw8+Kl}3*CfAdX=|K~g>DbxvGw_9yZ>pk+6kvJAO2!ps zlEs@JI*R1&O3^RnrUQzG`e94AK6nKQz>ge^v6YmP)6&>y4q~k% zz~1icBa*ru6iphA)}Omld+LLZiynPuP&R6fKg%KoBGim|3^EHrM5+%Grd^5-6?0q~ll8@qA%_9`Zy!ChU#)VC*BmLIRv}<` zeg`VK@3!W=(9$ExqndV|*Ozab`N2wQ4(OzBvl?xVW$QL6T6&qC2$9aSXo^7Zb^=s} z>L+pbaVn6M^K-lkecqYTM#(i64q4p_`{cWD&h-;^C|R_hkD%~$u9dC2#UIM4HYjj z77W5gEz>}NkAwYAGNQ`;Y5bT zWM4)4AV_+@i`j)bR)qBB8##y8e3Jp8F#3FvBluw?PdY`{@G}h!QxO{V*H!iw@V9FT zUfY?LGt$$^a>eg zN_R{pO@vhpmMlmFq^xpVN<&Ax0R%{AzIVh*z8yg4jWv93@DIM)+9zb%uU`~+LF9GA zKFMikHfwqd3s;8auwpevY}$IUV1v0(2;#hS9KsMm$FVv3xEYGs9I$5)oviO$Zx9(~ zTCPB5M={Q=*L>GlD#F5&|MILshd-yw(FQ52&ET4%tBGgB#LW|#3n2jbj|5@Et4P~F zFI9mE%ldbwO-)TgNFDhxG=w1Dc#Onh)*z6}Zq-dM^&-uP)x=6{;zD1JzLlovPXk%ubGM=D z+vgTSDHkpXUz{`$O| zWb4YK^^{kkV?VBPq64GMHsHA8Scz_Sg_KRjsyGl+ecq?^lRoFxIxY3a}^QCfKMSDFrc?X&Udo!4k!@?BWI=lOdHC-P7&HE)y*UM(M(_3rhwav|1I# z)5QjCBaj0VD}lb&j0pcTax>DTf%r}JS-@k74ip`|AMx}F?Z7L^_f;Q#N2rl&+jr9E z_v3KmJ074mPK~e~BfiGr#c;@n;!T#zG485@V zFdvcjTxeco%UohaXiDM2#Qt4NsbcAt0kbmd{rgJ|0!L39_vNTHsWVG?VQNtX-5BmG zyG1OXy7+jYeDj`^s^+4sS67R(YlqckcN~m+T4f9qQ1-RHTKqLr_No4`#j*> z@<@%Xx^dZRmYdB+<(t;mK|2^@HslbqT{vK82`0KdR3MWs9JG|Jm>5&C-5Oy#WFqx& zz@RmCrUxT*=+3}*jo4Z#(g>05i3VsBRFjFtlW!$Q#tf#UF7fds-V}8H6)YR&FhN@8 zce57vxQ|D7$OCIbt03Mr zY>z48@G#85GP0k8MrH3m*@}tjo;K7hu@xnt-G)iarOGMh)74BLV5lMEI3?WDNOj|*7qZ)19q97#8{DR{K9shU96ZpC9c`oud{#XJsgk22p~yI zO8SQOSPWZd*Uu*=J5g4*&@lAzuTpO%s8ZhSk;gl=y6}s$l!?~S8{rRD!e|waRAW#j z?8z{YvpJPas4<@y8gD@@=Pi{!`fK(<))^(KGp!;H)hZ?LQDOXr-RnSPM7_C@(UqTq z8%EcPnAsftyAIyendE_8raoHw6iVOi3`Z|iIp0;#8Q>t2neAIqP$Dsm3o&=5#wbt~ z9RCx{3A@nP`ns1a2=Bdq$I5?X31Mas>9ZCVjQ3uT9$73u&~M;MRcrto^15WmL~ZX~ z;j!}Cy0PigZlhthHs!^{KiKOWb5FUKB}%FLw#?Y;^_tY7$k6RU@fzk2nofiTMY~18 z9-3Dwc9~2qO%Mnbt-Cs{fry4rQJKkF(-`4MjR_OPG=3cVgSp&uKn?!;mzRgymaN%> zEGqW9+NR(et)Fc4H>O)yCyGMW4@O3Av^3R9o135CTN%h~sv~!~tsiCSmMAyqGBU*4 z=-{;Xi6(-&>9g}xQfieiBCLg<<0Y&L3p0h6Nru~%&eavosNcOv2$`G>gn9wSuJC5o zq)q6?u-Zbh`obdA(9Civ(B^|>ui)fHJhwIg+)AuWkNw8kxxI09Ixw*zFwb!8czlJ3sD*oPGO**yu$s${l{mRNA5h5C zz;~8(+(akpZOD_sEDq11Zk~~7X%nKB7I&PZ{R6g>Gj#${h$7}7&)6m>>wnkltPia} zMWDbhTFw4!aGAn+3{anpVoKj}w`g&7l!a>F z;uYo2@x{fb0iV2rLPN~Ejkv*3pNxl5rbFAD2LcCs9P1!hXuO$OahsHfph;Ojidhq~ z7tgT!Is@z4<(vE}k@ou|9hsUV23jwH1rV7Il51n9G(6hqtk9`+J(}JH5X`B)8BMC+czPXU|obJoP|*w>vFD`h2(bx}@qk3U=@AngK^!3*ly+W2Wi$(@4+_Y=c}78dqE z(nSN6IUG?ro8wE+!sUFp+&&RQX%@NL6B`4IJlcp#oZ7z$VgBGl#OQJ`z>WyMNNjf7 zEk@l&{CSQn!a{5mWMwIgQhSnp9b~3s-M-b4J3imv9_k5~Qzv(UYp#o?R!GqX2M4pq zH;t(vD(jfcvOh;1pPWCfXNyorAG`MWbA>K)2!I%XrO&ML46a?f%TM1MERsi75<21v zK#S5T9@5MWmxb*`>EAN;*w5uLWjo$A>&Zy(%YW7PJvZ?zu49~}u5SF|aM{45@#v#- z?EAVjd~Mz7s=`f%5#XIEfL)3OEwAwWjMcSW?0qU%&>`QIzbO$InF(ThJ63{Zqu>NfjjWZ-hOh0FhTF5vEUaUBVB&0K{=HEE>@GwarL)Q6L z=|R^rlVl6&70$TbM?06^PD0)sMM=v2R#JBC=sX#YIy3=9l21OLM3SQ~0ZRnZ?WtQT=h#ih-nl;@A0!{i@MXLDrK@f3YzmiPjC5M3wUj(3p4{>H>fsN(KI6>Rga|~I*kg0EO6!gmhkmQ0o=&U3 zC@DR;)9P2+z~;L0HiyeD<<6lbF5hX_p*%;SDLf=6h)IfM;L757Nlu+!DVD*v?~x7} zRT!j1xFw&P%rZ(u0GIZBLOWQ4ZX>5!ubC-a1S z50^fnr&xh18ei<(+XPTt^D5J_1K z@drNPn{ZHjG{ z=+adSIA@6X;aWLT+a~iE4ps5-`AGG*|S+g zsHsww|3quHr{^e2GQ{GYvh9<^h`BtC?TIHpTja%8rFv+&=O$rOASBQ3K1av01UWu{ z-nlEqc@jw=dK!h6F?h(hf?`yKf`kd$Ghzn|B4>G7=(O2hr>9QTQdsK{w>x#rrko&I z-n{lUDKSyNP^8h|r>Lk~a|Dkj*s(#czrDtl+;Q_(4*7wU=)6Hk@*}gdy-?ocL71Mo zCeOWC6Hq1m+TEEx-fN^ca;0{bve^3iu(8XbglI_bC3P9mb2y<1GA@r06_ECAYb$^0 zn)NVg-ZgYNg>#Zh8hf}4bF%)B+0MI;&QU@p13g91JbsWG2q(yQF{XOnFy0?p$$%

Or5ax{?4WT6+1eAsGtF1-7(yOWY(=%|M_9jy?}uut?8N5a+j-^^ zynfoo&x~XTjbp_fUB=5Kut$b#0FRu9zDV&VV(;i+qd7zRY==L&K%`UAR&Ej%b#GQ1 zf0^!x^T8K?P8<8749$uvuhpOHJ(|ZnIj>hn(hcu(uRnIbL(H2+csGAx4y|H8=&lrT zWxEZJiW_lyV%4=AvX-yf%}*#8<#a{y(wx-`L?{Dm2fmuh4$=k(yDKWCd$p-rBsJL36zfLNK`TGIM`W9ObBy6v}tA;;qVl{ zdei0`7KP!@`S&A7w;XueTVH(M`gr|EGj#ZBnQf1Tt#i!y(w=m5MkZvoCNk}Ni?DYI`_bp#KljC0xqH*N+vAgoT$B?Y&mrCRmt|uL z;V8*GYhz)nAm3?YM{a9zcZN>^Og?Fv#nRpbaWYOFG+HLT*N8q%Ax_zV9r$8aQMwCHxSTasP(1 zQ0#zeuZ3AF(ce#awg((ilY5Fnzq8WHD&+A5wjj!QlTTcuhDaV-5+gbrBEWK9!Yn~$ zG&~4Sk)a7XpIw1e0Y=}#fST`P6g1g*O_*fYORO|cXm*&4Q0M0Ecn3bHR@ zT1mM`3L86A3^et^2_*oFf&IzZ%Yy*AkfOt%`3q;6>`}}u?U?Zehu}N&E$`HGyG1X> zpI@kW%bszi7s;p#zw?VxXWjM>-x;0ppnY)*j?+=d{qq`}jxN96hcx)v^Io;;{SO+i zSY6Vd6NT(Mx^KU+m4RDVu5iy^)UyvOB`3w1{CvaG&RqAq0G5;GHw_?hm;tSgc>5NP9H8lB}sof@Vg^#lgUm+P$4n~E_ zIgdhEv=fr$o@M(SEQp!Oyf}d9Y|i|^j@C=z+t_B_{+ z5JNsDB#U@>$D~5=p1hjLk$_Um2V;uq$DB4J2ee6laA`Wxi>()K4V7%ML#>bYX6pB5 zqL$`x$elN%)@NgnS*;aaO2oUSoUlPoA#7~gpG#Z3 zVw1?5Al+ped4Iaw+v1lz?J)xAeZ`7^(g`jAh>;ym(qO)RR)3ABz>d7qMdqVLPlJfw z{FsnMWMkg-F~BpqzrA!S>~2D6VVqEjyga+~1h5ZO!y61w9DM6Z=I7sJ5uR#2H8oXe z;5Mp_Zv+^q$=-K=Kc*~YG%P`!GsD+m@VN4aIbpaDK~i74aPmsU@tA>4L+xc89t?U1 zS5(jYHGsUB`}zI;y`Q8OXkw(bbNT0)eO8GDLDX_Vw)sTuTLp1(&QMkfC`7l>K;6V0 zRU%jh4eFqO!DCfluv+dE-tN;MF_2z}>9*)krfK-X5(^TxdRUTT+OCLR8$Ke)>hdc^ zCrVsRc-JdRiU}130K3zG(XI0EhVx7Lo#nE)q@=rsV;&yq*+yI9w9Hp&{sh?FTdy^I zbV@mLbrp3RANRqTmt`>V><6mMD7CaSP|)<*qXmbFKDeW!+IZZK7rzGC|KWvyg7Jw16OFKFsCd{R@8b=Rfv42~zX7 zEk29BE)@N<&HDZSEf~31lzX+Dh~f#BJaXSZ=^LO1QH_g*_-cyB#9^#TGzP9~Y3wW0 zUFItvqqoDo^sf1GTW3wXMq^YI@-PL2_EP{sB{Qu|qx)|B9dVU26>+?@SI40NcMZ?N z1J>hsKmIyb_QWqtZJbLkbd#F;!ADIT62cFwmTp0DPaylcOm?_yO-_!0n+!U*^#dz} z{W(-{leLW*y`JxFpH~ZN+M>eLFAAuBA0ZHMF|}cYzru1+g~N;b@>UUF%o*4B4r-8R z1$2s$@KZL0pd!CanH7bwa*4|?x{#A(k5eJ$OMV^g9l6}P7pRp7F3Jl*7XrJr!ykM^ zVQw(dpMSf5?j!qe?EN_qFxlBeZ`peWDesz^4&`k-zw-UpB#K|sj|qt^Bzd=H>1WqiFHs>V_^TX!OFz7bUkd5u$Zjq(9 zJa&Z;>+<@Vsxm4P$XXQlh&PpA_V;R0>oF-C-mf4!O=pmI+9PkgMqn`%E&u3=+J<-N8q zikkP~&iyAI(O*@dvJDp+dk=C2M~29Lj_|^h`y|_wK}p}%V#|bhX*X`Zi?YUtJ912= zd#O?|3uqEo9n>hTQs2N12@6jq$L#k!V4L8^73h&Szc@|^t+A$tWF(IhR5LSqE=a=F zt+Y@hW~*h`0X)TBm|7(BohMG5H7*{d)rRe1N!Nywy?k|+bh3lNCV8*F5xSM z`BsHq%@l0@@O%;CkQj?BP5>zpEWd!@*s09}4(a+-K#}x`+0Lc|I3MMyc=La-;(S1C z=k}idM%$kzKlLfVEu^h?-2a>WQTRoIL!0oVzlQ@CbQFNFE7}|WMiHH!@QDmKPMu`d3 zX@2XnAY#Tv$HpIvcX|voy&egqfB4@Bj$&6YA||Og7H0^(YuVB(=3CH#J5u}Gt;0pu zjwX(%D?W+&Shxg^7TynHM0Tc%!;`P_^jof7dGZXs;?8}hD`PWgv|`uc0pLq-qb|nX z5nh#eGckS*!sHi#SH+Cw$opk##T^;q%A(?cKija@W8zd1Jb*0V*-gjf|vI&RitW|97i- z!~RdnaVsT2(ypv8EzYravFx4QvuJop%iPwCmd|oI=cMN-7)ZF9H!T&YG=}zDLe#Kc z4Jf_{&T;3kPOY9+k`R9PnF^UlxhkCnv~K)Z-c#igl-H{BAq8z}mE@EZkLj+Vc5M~C znO0Kkt81wESq+gpxd~lA6*Mq}V$j3-zI9J$Fo9DUs6VCr`0v))&`> z9C`3dz66CR`ewuGlftaMipN?`h)#lFw7pqJWh`o15U?XcT2gO7M)s5|^#zia<;ISX zayLiBr7b|+LaR~aUV7?yFxAi{Oe)a3TSlkP}ovzBM5HwelxZpCO3Jl4thg|u{Z0dg{YVzpjGQ~=Z$G;ib&MnpCuXJLp7*Kopw zz=#Xoos6OEuR7{O)b=Q=iiHj&@yz>Izu)*S8tCK%oU35F!##8~`r`5Ad}@ZD52@#b zVsBxVylL4M^ZM9_i!EzL^w}E?G#BG79CZiRb&y%0pvl=tPK5z?rQgPg7JYlUpOLt5 zZloe}@b#fJVA%BsVOoQ!mnw7m!Ci623^sZF6eyA9IScAAviI)(hcxuOLu_p9IJv~K z7!0Pe&D#r~p0&he;w~YugYkh(9%RddMV@%Jv)7y>mVJgQtOl|c{yjmrZ+!!37YJUJ zt}`+3*m77KwQG=G^JQM!xS*JLA7U-YTVCBp`8;BLx9jZME{=e&mbJ%(()sF%CZ{c2 z+9Zy7y?Vc@j43dL<(0??gL*ciC?#vCtQW~2oVnv(QKw#UXoNp`_{{Ui#zi=9U>A~( zx!(1QFG;d}DLf5ri3%p>e5s;Sq(OWXDoL}&0)KXsir!6=HKMa_Rl+1F4IR>8^^Ckp zsX{S*K*${P%Af!!+35Qz)Lj`~94vyF&asmXAMH6NqNG2$Q&2jV>C57QZriv00-fRJZ)d$LqMc- zOqTB3$GPxPekmgWKy9|V&i%qfOd?oirR9feNOQAAFWZ^mo%^c27{XK4cU`bDuX3Ao zAnxUYV$T%quOT3QL}xXDiJb1tMUf%FCWt8t#%Nr7aLm#EoAIugs$2TdU%{!LDk3W0 zntp{8ELqB*fK0^z$bi?eS91m~m=UW3T9gQ4$VmIhBjofdP*eEXtg?VWet64(YH6)) z+bjzxVnV>VypPE&Fn&uZ^3%_^zy-69g*C+^1@hEkx(ZGZ-hBm!R^p=)VL7~6(pmbJ z^ka(G`2XS$J6B zY5imk{R=0)%sXDBDkdqp?PCwl3ir$u<-8jPbG5M0(agilUj|MYB}oTC*0QaciRMxW1LpU z-WWV^Otf9muvinG34@xI@8y?nZS$~N&1yX`A72C0pqTb1yj{RT(-m2D2zSJaf{boL zCO(>i;ylT{decYwrbBc&8ZL4GkE*jSa*3RJqR!VF)0BWg?GBq>GkYDFHbzYt?vera z)&5?pQDPIpySW;h4Q4&<9mNxRl0_YDUfLV?WS&YCC;}6!E>0OPY>AS)ylmXKjI?tW zG=K;;sBB4%d@uFq&R+fo23Lhf19dy!@KswRB$erI(q0bz(U}`W?5~fLT3rt@zZ|~1 zC=dXks$VJ_9-em=wF>gWG-WU2T(Ab!8pE7428R9kI+^>B(gw4E{B+4L_gc|S^A!|B zxdHs(^Fw#c&_l4<`oN|+fQLR)S7%f&v0<5NsR}jg@0zG3HEykd96F$JW!+yy7F8dE z#ePsdEsqkTO$@8erre5QMz%;#uh&GZlN3sX2rwM|oo=O+ZJ?8! z%^}E($oXTRX0cVstNz>v{mZGDWlXk`B~94G!6B7W2#EXS#~0Ifg{5j>OJ7dq(p}39 zm5mbX0acX(Bi;Urt$d!zKBBfT?Q=UL%>4<==bZ8?#Y4))sV!ZLxNduB2m)!Ycpc9m8t9`~Tt+Yiu~xotczm(p3VQl3yB$}!UD z5j^tc@S*!{SQ3ErG7|H)$32WROB-#i^^Tv;JCy2aLbw3jI_yeWL{Wdo0 z3$bn#>eY4&-Po3;!5n?4t26%y*@VT7?EK8}}E;RMU}M zkwEnRW!yQ_)BQOQ_k~4{zSMZO_}6ne&v*4|`?45Ml30z}f_h)=dt`Oaf_9YNPWyP| zj`|s9TrfaG?w?ynP8*ikovlOyQwBr=dnN77U{nCbgU(!{WCcc50tf-bbfX&)uC*O$d$l%RlVX_ZRkF+L-+}%qh@}*xRa^ce(Qt?sD^_=t@nWj`|BKocG2z&5zNh50E734 zsdQAWUD$)er1#rH4W~K$Uyc0{FA|nPUPX8ut}m44xJ54UrE{+@^Ut3GnzNelgK17e zfr4j9B%o>eKE^Np6WN#0lY3fihkmYKA9v)q?9){Ts7 zZYo885YHG-cXOo(gpb1RkHIoqY$}T`%zm%Q@+9EF_IDE`b<55U;C_&&*}XF(u{3;N zvmG&o?_?_1uX!winTRf;h88Ufc6p&1_X(F>tVzFIBD*WwQo#A~h}y}%sdW~+z-#Z$ zfnlY7basIvF!^5v-j9@s>2u*W^{BZI=oU=Tu;}au_;fRb)mW%33Lulv&BmksK==5U zwe%JhOqAKmNsywF;5P9%Esn7(BI1Uv)^;f%yoo(y<*h5;fF3 znWm6eA(D$DM>DFEIWmNynHc2d%x(M|L6>gYyrvG7F7Xx%WC{QPPT?zL+;^7pbKO?R ztaUb3G7qbSudqI^3W3pAS{J5mU0&S3{^``hEXFAIgcF&AUDOyLtN zlb^$mZ#XYm(?lHE@exj)yxCRy%KDoX7M-XB29r{Y`FYyFT3`izv0xTI_aH>5aHu`L zo3aMle9#XGX*YTJkPW5*xXB<|cm^gX&|KwTwSBM_2h-VG$0y>0_SAyCqzUG7y8|4Tz3Go+pI!; z;j7|$%-kl8eG{?~M_~z;i&bAt0<~H)XvE*HAEt;Mf|TTvNm#(i%!U$pA0Ig?Map*I+*E2A+`r~Tg!Lp<5@)w&#+E`c}WYwL#snEQR zda+I2r9|}6*J$3|(Xx(AGfm6%{!9t#L%~gMv6BUuRB<(wDmPqeRq7z>97bJ6hG513yV>xdq;bcn$ieo~R7z^by{#~1N(c5Q zF=t6H4_htd+ggSC`Iut8d!!fFG+K3D49esfV$*j2kUcpigLNv;2h)ySE9M~?k2;IB zhZm`18kqTrpeVUZB?o+->r4&|fRQQr=O-R^GfS1ESsMbn zk?!_Zn6u<%n;vwbTwh9&OSloA!MqLQjd)QZ1hglEeF{w(CgRMkW)6U0$o{1=TSo|fBVrBd{^dt>H z1D1^9e&Ogz;QY$RdiEOYLmxoR3ZZB~5R|raV|PZPR8x;O*fjk<(L@@pvkS(!eNfU2 zqly(FzoicV;Jka2a?{Tdl&LKwJ*npxJ!w7(s+=?ISM^xrOQszx9|8Dkd#OVlylvi}TOv8!(*$k$=>H*&Zj{_Z21Ms#`SMuf7Ag zADtu-D)Cie7nylwGD^oSa?GGGZJQ2%dIakn8s)Sf(lgSUGo^IM46BDsW{8XMyZ3!h_> z-m5oJ5G{I~MyqPG-(uaad zg6yV)&+Rwc`ya-=#ZNzXo^+Sg@_A;JM$mInv^fL9GHOz+xMcMK8@-zcE&K^plqF7! z=0llDNvkAr~HynW@4e0Ke z6Dl6|+Ma8qcX?UP-Wx;dymDOjymAys?(Bf-lkjpIvq$xSCl= zy@Nh&Zf?@F-2Pcy?kn9Cs-OOV-LaJfwwX1;Bf|ehAhCOviq9`epm;Y2GlpG#BQ>fC ziP2#+Hm8%5?ZUm=%HQn% zgb*)x*lGYJ3jC5OxR%Sk!o4O}L6QNvyk)TT*iZUD6!rT`L||s*)mdSUr<{FC@Z1H} zvvhKyw*ZVWtFTlSoh|OOmZ~f8ZyGm)Ou3dRqg20CFkkeWVQV6n5t^;EN~m^0>=gIb ze4iNa)3%SZHhZV8gj&D2D&>EP>|2?0^|~_ggHB|#k^YN4Z^(A9Nr&oI^7rsMxukmrD~%6L6_|?WV2Sw!Rf5vGqgg_b*r6_km0LBI;%B9Mf!Ee81-V zpg{TNpi$#4jbk(Q)u071M17gK3(S;dA!Qn?(v?m2-%lfIrk;3IKM^Cpfl^F(?NI>P zR!$@_qN1_mm80YPBKN#EQ^!Cw@w5?@NZ&wV?hkBv?X8rqSh?<2>zV3E>3CMnLRC>D zS%WQr&D*dZ^$)Sdg4fcU(J&(aRe)cjOBeqC&hF5=;INF><5E%CJpsJ0? zhxrW}xAY~I#!9a{_zPRPJ8cz@I>5>(<;j1s1wURI+n`;Su+7QbIM55Q-U&TF*sPVD zuW%;Vz!@NnHSZc1Z zIL^4Y@WWlF7DwT|R!90jm@NBzq9u#%8($mSzSVseu$T3e9D$2hY6`l{NBku-y3}KS zf7P*79VPjh!`}W5$*o)|yIQZA>ev$YcA5sN065mA&1DgDoE@nJ(?7JYb9Vro(&!-u zuQV=9)${5X54S)fcr_dVYqGJ|S9E2AJK1<~%z(Bha3YJT0E_k7>+few@J-4S;E#2r zWvFceufEI)+H;i9ddWs}RTAe-;Mvc-K__m!xen$@V4IW=i{5z_J~NnO^(0eoS_qMD zSCZ0m*FH}?Wk*vmC9=SJJ~DJ6Rd?C~Axrd<1D!cI;r#w$L21Zw)MYqNYtelFZ1uUe zgfMz8!WYrAn3_Rh$O$m;!d8GAjl)E*ZU$}l^`UTT%3>jvl@A>Sx5`T9uNTZDLu$G+ zb*wvRcQEC{59b1k8M7`_j$lgXU4%GOV{r_JtI$o@@3i>f__d(bdF~4 zwXby8fxddY7W^)OIS^0xEh5llr2y!r*9Q6`}Ju!%VW|MO$eAZ*HtD; zcH_{i5EKYQp`rZS%{!ntcsVB4y0*4fcYUC$b}oP5MdR$C<9xt5{7NZ*3W54H_fu!9 zom~t2Dn#T;^72H@HU@0zCczvfn7`m|H~;*%n3xBzzPr$+nhy!aAcK{H@y?%aSW+p? zf&`alsIE8e*@Xho~|4QNoYk)(6prxwN!2Koy3-fv#Fj zME%C%SpC*FOUJNvri|jJvVs%gt(~3vqgS|}NzTT(?xgJ9^9%=SP*N_gZ7i86=?li4 zsUJLH3Dpri%hFRHAObfP@beB^w!*~tRM56xtT-MR?=v9xY_y`JK_X47q|)ajn49d_ zQ0VuAgwKwP{f8(%=N0~q0A|(SpW8b+Lg)Av_-l)iaIF%D(21h?D2kNjEWqZrj{E%i zK85p22AvZiU1^2kVt!gv96W5|!fRyb47zwQ%}_h5t%-8x3T3%^DbR%l8r_w=FM}o2tC^yWKYow= ztWO>kjE^sMDS;v`U|yy_Shb@C%4Cd~|L`oou=ie?EERSZ`KW@ecq6btPZE(6y3-iG zlsIi4$__N)Wl4RD^ob9>3*pg+1Mwu z;}go>u%+V9tuY97Opw_A==F__cX2T_UkeVC6KrWOU2dHHmd1=({&#S|et4HsaR>7s zPtHwEg-$UMoaf2E|8~NQDLn`@rYh)YK@mA^d-#=iJ#+{B8;N^oRX}VPZK0Izm6Mp}p9??aS36eeWq)8h-k#VmUYr^Kk~lh} z|9kj8T}_sy4owT5>&gyl)f$gQKm<{l$+)w%&b2%~^`^Qd#vfN`rTO7Fnq#-Ooe>?5 z%ZKc;u2XFHSf9n7nVA)g?V0oK-2ZXHt4DQw90J*A6SYc=_LE!%F|jXO3CU|>*)VH_ zAQAlzi_OUH9lk@V0OjE|p+Q>nVjd~|rYIPvpYP$-Hm{!kW}1wIQ2QMeTiwkVA1CL_ z*w%U1NCZcm$d?K3r$xL0_~KW?MaohmWcQl7+Q64b5Cyc) zCx`N=Tr?}2*4>-IP4Q~Fx%y`nVQ-8WP?sZqiPn*;GrN?6GAiZeq9$(d>!>=cCL^zZ z{1|pW-;$b+pZ~7YOzs~4uZ(9dX=&>5sj2pSR!if@CgSH1KK(0m8mQgugD|<6qk^DWu;7Od;7;S@@97Q z3v!bx?=n?L*ZOi81D(WXKE2{!HaSUGr~HQ6P1xZ4)H<_gcw;fvEC9+#Dxtp}@AV6c zu}5a7uV3e^ootYif70@h#v?y?mLzJO(l8m-)maTTCV3gp*b=*|t88al z3cICoS9%B?-b<2(!bigD;W;@bmRc;DqZZsa=(pC6Ej}33ONekf2+O9lu~1c1u2=0c zy#psL9()gI?`#iypQPXqyTH1k6=t}eu(Wg@x>RFO{|+RL;@riJTb@n?;f2c zY#YO|s^J@@+QEls0Z-j++}Hcf`9tRnVhTkpBv-psI6E{gO+~l ziC8#SO-<8coS$HlLiG9SMIRk+$easPrV7TL>0Z!&+jSc`d|6~%yZyjDflf2u<+!8` z^{?8bs+boHKT$(Ue2(zXXQIpune-|3tar|?CULgjoG1$f`dSGlS^5o6@jWe!i0Kk-+}Mz39uzpMQT;%e=~P+TH!snL03Ok$|s5tD|Im9F|ZM z#JE)hjK1^^P?}+6*Dt;SWMSTLR5k=J_aLIHXF8a4Ow}-9_zD({dF$3!OrHTD7v7c! z+~}+O`k7kZL`G}pS74Lg#Cg#Hny$}>kcn|D!kUz%KhU#OCFSSo&&A65^gj0(0UkM$ z^V{d=FlIH>+x9Mxw#rP*n45mUps@^pjPZClRL>Y6tM@@3+{8~(P@LXyS;h&z zd9jS(Hbn}62mIww3Uu|C=%%){Q!+FNQFXFFqyNanjS|ly20t`iw{}`VD9F{9ncfG= z-wfsJ;bLD1o^QmvEvouP|LssS*`<_%P>Zs0j+$b+X)KXL`N=TJjJ zOa8C6`3bB7Vk#)iQNiI~kbh9Qq7z=CGYGQz!v{nw89?Spyp%~Z5!7F?~^?j!nfMaUn^sSNr?689bC{5AiMjlUko&+L0>m&}g8 z?UsLe=nW{r@Kyu0qSx(h`SO>kl}&#;WK}9V?=N`n`Ra(p4~IOa6?i0=6w!n88=Bc- zRWW_{&E}5b%*xW(!8_?&$wPPU-`8%n$Bt;(!0(|L)sz%NR$``Ei~| z261HIaqt&TT=uxSggW}(22~i}6Vb$^EcVPUX87UPx6$$MMuCjUi{IH`M}#DUXzKcV5a$c*$FnQR zD0k2UtIXALgtqz5|K6EAiUj@$3jR2RCr5)F)4cgh8B%Zym{~B!>JKy9-Sm$wgBJVz zpKY02{3x0?9Uec=A$!unMg)I|$-=-!6fQshRU9_W z^=~70;^hBT+gRR~@DDpIeEQY*0G~m<{L9xS)e>Yi)is=j1+~5j&mezV+F}YIZp7~A z+3r{TvEl=yKV@cqPx7NP<`u2z%9nWfx>EkosFy3d^(C16dVidzzdvU(SgZ#0G;e^C zSZ1N$g+dt}AU4x)iGRr0q#C{tHqcp`2giOv{sJ>3Q?a&Ie($N8GEsnD9Xx*CjpcCn z1SnIjmSq`*A4Txs@7&)D7w$v0nMiDZdK|brcV=J%blt@ijvl-F`|>P;So52)W+6W? zdt41TyBaM2gyXG=>&_xE2~gXYqAwr(B~UV6qT}*gIoicR#pPKOp4I^UoiHwhcVhp^ z0M`4sj33oB#-?3mus!J<79^;2>*>oMii)r74}L2P|4Vf`Pud^x+|_9apYVgv*QeX^ z&3&j96_^MK1>#sW=s^L?vm+Z5LE2#fLS!DxCsVA+lw~5QzoMyn9x}x6_}1jF;+!_t z_4xcVzEH)sx6RbhBp_a@G{C}HvzMFmFzIjuI>AeH1Q)}ieypy}Q#iLbM_9H@p%3Bn1P zLL{tuyhE`Tl#a1vg8dr>SskZZ+Y zb9&~_@4yov>WzV1xI!r8@64rQuV{nhIQI=&y+sYR8JAOMFUpGdE2^l}Nzlu{7!}rF zKn+s@O!xq5DL0N1NDhwcea|0?Rdewel>+Le?IAQ zj;xbuLk&jD!Jt&O1PUU1#*TeKm0Vo+BowTzv0{b@QOiukMjpp?n92-jHV2Q;DeEUw zY62>t2uBW7?2DZdjRhZ@P)ehp1bCnf5SnD$nY;S)Pmzr8%{Nlw6-TrR^6Yr@n z!JqL3w&>pJU_p}{ZChQ^^cXz}HYmrYNC@eRIe*DHiN0OhDQymZA z5mL*s$n;b%afo+X+oU(@`-;g>ZesD@ijX^I^Z~XWxf1)c@=vPU1&FB7JC?EEfw(DJ z^R2Sih_aU$6D{7o@S9CvpZezUzU)1XTD??h25)`Bg-_?RZj#-lHKu2f=u71MBWX?K z&=9)UgK+OIDK4g953Zf{F(?|>YuA4q(5}-WuB^=UT&Od496k7929c8xkQ|FJG-Bqj zE}@4=uW><|E!hh*^klI(%lGwgM2LV*5iSqe8shX&cIlOEAJvfZA;XB zvcb3YtC2z_H`e~uSTU8GDio~7Vd^-)86GQjcvtv}G5xqYbqg!Zq+>yIzs@QA9HeFh zo#7>iZeO@axT*FQ8uyKJdSj5~hj---@cS(nKq!rpsy=sMJs(G4O*Cq7fjSC<;K@>Z z?}aeS3LL7(+u(tD?OnGzb8LhTkHA|OAG8_su1oq?bRoQW;rEx{qh;?RP9EIefc&#Z z&w^GgcA0d0ZmN$j=ly!yPrG%L72E}7h8polm}rOK=`fS~j_$K(;-Bq}*Sa8QYG?Df zc=d*6F;wUl?`(2H zJE_I&jb}QBqmA2ugk-Aw-)E9c96toyt7x5$t+X z&E(@iHWr?hn#B`s+jaHYYuFQ^>@&vU`)htmPNeR+0 zo8Nxk2`v*X5#d9c?=i(dBGYdO#OYmmYr@5&ZEc^oz|Ho0Evr7F1f5anim4tRm#>UW zLW355WgY0z)h`((I=7LH0r9)Iv^1G_7fDP;8!Fe>9KMKAt}12kDWxcX_~u#l{9qTk zW1-7RRGdYJ3&4Gz?NcnotaO4Cx|CFn0|zZJDDQNnJ%wH%gG^&J{Ko6Eo^-MtNlU%P z?9y9|uyruHWc^+pC_RR(BDpG1&Lh8EYh}3hzDr#12(4%Ug*@G83CHlc5tKv0TJI1L z&Y%plO#`a0b8#w4!P9%Fp#d5>{>_{oPW^mM9p{+`x4Y$Hs`kJX0$LLtjD5JK!dLL8)kw&rECjp@rzk#mwjarSe8 zvxL8Plr>Tz;qHreSvuXGtcj&fVo2CTrVe%f6Vri0B@Sqe2#g=XTeCmvV0DT(lFb0F zDH_@#C%CD&q6`{oDGd$^TPzB`mwfe0vXbRdE7PVSwptV{y!3K8imNk(nqcs+RW|>! zZ@#uIGu5z&TXd6FkbKoJytlHBXuFsp-tRkGt}mQrb7}eBb4zFL*@=$=Rn5mf*mM7o zb{a9V7eoI`Qr>8Lip|p}|JHUfPrTR6j7ySVQA!t5A#!D}(5MBft>x&fU-^)NkIt&7 z^)|vT5zSWE(2VH&66LxplAQ`8mNSaxLqxNc&CD!xsO+(%bfpH5Mevw$;KsqOnfJCo z8%>Vri_KBYr?(CZ57Qf~lu2OaRkO6UrD=%`ma+6CD|wreoFy+SF!88htkF@Lv=rRa zr<6UXk&R-FU+s4`;`0`>P7AR~Ch16`tDK?>k&SvFRpvNOmH!Opm#r^+GqwxmxT{=X zp*-Fhttvv#G8MsP-w(|wI4w!fwk9v?*WdDH)h>_$)f$s8FrB8->mmCzb)hglU)h$K zNhOWbx_5S7T9m(10{arBActKzjMccuNVnqF?6%yud&XU1yfVEjR-(PL#n!sx{-MR) zCZ0|$iCW~F9X}h$c*fTHU!U_HGf|ahd;CHugL`Nt+Cy4>v5qFlh0kT$`K~Dokr1RN zT$;Yg4r52DhOnwMUVbFA{{A_0px>!;pp_7hJ4`o8Zds_%PhgT^8Jk|f!kKxUC4Z0= z=rP`dogK2@i*DGAnDMb`iSzP{QTt}`WR^^Ug$z1ALRa$#dfol(yg6!j+I2_OVaAEjv?b${9^BA718v<|Q5Jkm|Iu_`tfp zWv&?05c-d_TsR7wb#RB+szm@%EwUa3v%Au?JE8|&>vT=^duuV9!&dgxWOdBv|q z7*WxyFT$T*3u_L9UA~vPAC-?QxP9Q-Y>&r)q^rZ-25-j48m)9P$_)2Atqm})$LFgW zy-FnT7UXsEWe>GXj*%e8v|4RULB&FI3uR%0NsdH?&0p6d(jFVxHDHKI!k?a@YjdIv zeuoZ=iW19V3$P$WJ3!9})6^0Eq>7Gckilc$4zm;CnB~EjpPSWFkD(uT&`zZ?rScBu zUB41mfl9ypaX<4YIr>*3G?k1+tYuMpk>sxGe56Y>(7lyNB%7Qs@(Y(&n>> zeGpV#C1mhs{e489Cn$0o6pfb)@nUN!^jlrLQ=nS9_zpS#8c2tBMf8~0;`WHp4+S$wVE+TUkqccThkqoe|4=)!nc zzxkMso@(SC<7nB@bZU9K*r8k}gj$T(-y0HGh{&1SMJz>EHQsTMiCqAQ7y@I*@?8ZV zq?!T1SxDtyy~n);*38@Ze!H&7e3I82I^rbt`yrCM87-ianc4F2kR0rENd+q2=b5F* z*q^qqw4H6f(V5r?JSF1sC+HIMLBs|H2Zx)jw)6u%*sMBMzB&Q>y(fOrc3DnqJ&4Wj zc!Xd^DT+5KDeVIZ`_S)xI;Ce+S8s;{+#dDLRu?a|njH+HxhQ1y!!t4Ah4zej;j}Ud zf(8mydQB2F_i{38IOhwI=`maL14X<&lM$V1YDLOnVPSE_#TpJPQ_oSIwk($}U7FM^ zD_&`>!(+Hmy)?n3ZM&&)P0;DvoiEABwFtAReL;m!7rjoH5xNg6#I1G_6dmus4Q$e|@%Q#c|=T=dC$&z)XvYeQFaY z2WWRRWa)4SWRnyM-hy6ZM8TwOEh9ax%%H}ucXa3z<`-GENafAp*Qc!})esWa*4gzg zh)b}mZ8|8RAHyJyHV?< z_UUNGWoy1UL?JOhS%z;UsM}7n8M`yv)wMM*?0vz@ zb;x^JRTDZEJJC)rmE#2kW_;gC< z$0Haym`Y`fNABE!bEPCrLJV#=I_4o%T#>_OFS=rg^$?#othfgRnB#@Ut~z6SMwNr@56X{Kp(T76SEcrspwf%H#V3pO6`ELCTqr^*>+Smsgliu!uh zKacgq7J!3ESBgNeRy#WyOeK(zk*Surs!4n5?B)0KoO6ykIX)+AMEpHgQi56apYHW`);+&JN)y zld`GINB&}(s}3S{*9>S{B*NwtQxv_T)BHz3SZ!$M35`EBdFH##_asv>=KdPp~(ivuGvTU*HC9s0P)a33Ak!@A0Htcq00^V zc$deg4R%=-{Do@TFI~G`PNM-7-f4Txm+mh$m`AdLd2(NRh@vk7exP^pS}!tTH_Gv* z#Dz%wiFmkH$Ra*ns7h8}o*&O7L))aezmSpk8d-k+c9+~CBmM^fy>YL`LS2X>G`Wk=1y zGh_r>K1Nzj@}#H7Ecblb4BELuWGjIBm~_svio!AHA}Mb>jZvv{Z>WA>j!{)Ob`;%L zn;c)+snm%$fKo`w*zJq3UI|IdZrn{*+Z$ZpY1-4_J;0|4x1iA^EgH8jW0K^%=RVRj z_ISpco)7)%DO7r{aZc_j5Cb5V88L^3BwlCmYCSvHhx4b3nhE*Q2$0L9pyl$mNf_O;1E*t;+lSvVr4(==E|{EQYRGZ{NIz*4o{k@B`TYzYWL94#EJSp$+)WWAX~>QA zSpS@emp>LK2?x?)3|*a_VI5$GR5jQG`Py@3d*g=UT7&d_)Xq6mhD;@<%xcpeDexqh z&0v)Voa>q-LN0O&iG8DU?=F$*&us3y_{Y6ieJ&RmOwTq_V4Bg@q2=GtQZnGvi$-ze zzFgF9TOhX|G!5k1k_(-cF6`^;*KfBRm&rQSoXBJ}DvD54%e0CQRiIOgkcp)8h&dMn zG_2+4%Y^QDj>oe_rWo`tDokt*2{je$%;3OGdcRr1rrzIhzL?iYg3q#$PakZfiAZk2 z+k111oY7|Lv&ToBRxz`MiGIPnCP91|jTNc7kZRM1r_R#I+NI_{F}f)sc2z`-$|&4^ z$hoQiRlN1$RBrPliEaLSEiTqO>G{snPMljj%U%60Tagk)T~B!U=D8opT8Q>-uV(ny z@h#L7Mf!_-4_;o)j)qVe18n0`x7CVr8o6EfV7(A1u^i)@ z(>v=!Tz!oo!46&RMBa6Jxhs}gZ$X#Z83Vh56zo{-RChI>iGgsa#lkKb7wqJz*K0hK z%aePVx;!?;F9=v^r95yT0U{D!6L#+dt}^dkF?02;U#@!`d1)yuzn6K6m;ex+6N`2e z%9!i)W_jHM-4-(X@~=*lZ}c(^`~bmHHa`a+=pih%HAX6DE64~>rAhNPHS{2y*w)&q z2R8bb*(xs2Ho3acgi{9sT+%(>{Gla22#uoidIC~+u@ z)fsB*tV~6=-MiB_y48v8C!3x!0fGzLC^OsG?KyL~k5xuU7Ad|t4*9ii9s6tnlnBDw zv+;ZERwRc}OlIqwcOefi^8g%GRu3~@8&d1Pv^&}X%alu9)r3A<3X9;%aVrZ#19a76_F?v#&V<53`KGU({Q^R6w%sa&1 z@Pn4|s6neW*FF1eC|*}bmj*qURlsQ*cB0MNGg=n~I2D}K);2Vq)gSnHslC=Z=L>a5 z5Y~3^(`aOZ0!eAUN}qzBd6RV_%QUy?aT~!ZwOM=jKnbK5JM`^G7(DqsFNsuZY0# zQP-w6#N-TmL;a*%B)noh-%Bs%^#Q8e7)?Z8#Uv!t6yyTY<#BT2Ub0zzcSOZLuFNP+ z_=xsC!(%Jd#3uoiK5-ruX(wqXzBCnTXX(Phytta|jTo3H7YE1W%J%4%TyAQ5*q4?k z!ki+}Uhxvimq3{HUA*8_KXM;UP&27Z5*W?hENk5p*Cl#WP zi(A5NEIU^k$TiK_Jl;JjyE_iH2Mut#Kp?ZTZ^_ozRIBNE?pC@Ex_i7j%z_W zBdyx6lyR{N!^$0y91b(i;5rp)(CF0GPuHF%>j%Ts!izx+T*Jf$YR&tnaHDirGG)?z z4A>6FLUY+hv0IH|&*NkS6{ioz=eW0C1s&t-U7^_rrPNPfuqSg$Zcyt6DT@2QqOkWi z`OwsN(|?V1%CCpy(EC#bpnKET$v82UXvDdIN7MX{YnbMNCIEQG{wV5XwBW!Ln1#FW zrh2jyq1PW9P$-$2`bOL~O`a`U5R8OgLxVgIO5s!>DIue3J&iffCoGliB`coM_djU} z&i@i--5QZY!-n6d5x*Gu{qu4#gtsai%t_+eey?*rSA7kGsDpxAf}K??#1w~H@tbj3 z6C*KdOv6u-=_?!yTqDKq06NYw45hI z+PW%zNde`K0x*lW5>}91a%^t^x@m(5)3s?{;aiy6Z{7LZ2pM<@2idj5$3y@tj}iHhsOU>p5WBtF z;xSGyR4UD3iN|t9XxnX;*C9tD-SCHgYh1}hewU^xCmbFu1+oE??yuiz%=3m^_zLEG zhd%1bOe!iWepJr{!^E7HwUm|V+=YeDT%lkFWW5xSNmo=DmKCy;8a_ZLTontsT`zei zr(#FBvN7*mgeqVo!x5M4w#UAr4SMz2h`0mSuL|TcB?5g&vcu7%I2yl%5~H~iUa}PY zCR2~CySp?TOZuJHZL<0GYF#FG-V#HsL|e&dhPFGWm#V4#!wNxlm3yb7ZsQzGn_AB% zuHh0_KaCiLZ3JwphXKgt7xqNcxg=1y2F~)BnUiq2#28WTpfewyjR5NL*H?%>CXe~) z?1q22bO?+j@CFG4VO{Vj_hHfDlhg%{d-rPG&yv$6MmczqIW@ay?d`%E3_nV-ZeH2! z8;W{QzO|>ZyWDLRE$Cdo#Dj=nglk!S@bovE<$fiK%-9?7UHbjg)$?8T`;ngwOQ5Ak z112xxrT9Zsb6*6fYL$o*F>gGs^dqM(aZvhYu8(Otc?pAEgsVYw8PhiNdiV@9l%P|e z#p;n^DH%a%!0}v!dYE#$1|gq2M9VTh6;d{sihNJPLJYC_EYZ)u+RmP(Jt4U{4@G=L z`9Z)uPy_tr&Qvv>PBBnP>}QS7m%#vdKWzad)wD}j5Id$mFME}H`}f0%GS^*&Yy^eC ztqAq_7Y$2bst4^dqKqk=%bXJ*Z*SXRj}atE_wpYM>{ju~_%s^F>NOAFw<qkZC_z4V3S!-j~t2p+@<~{BQ^(0;HmXpTi&su&VX#Ag#aos&B6X@QIyuELlwNAuRJkR_ z)HZN*Lp?R7ueex6MI~H4BPL%LYV`0TmdojxnVb2uo2GJn`}Ttm7!y0KN0^G0A9kV6 z5}g=_&1+#e0D!hlu;HEsdt^Ymyeoq1^RwpLZ;(jqANO5*?))Qy6TLMv=62W&F3gA6 z8HgDJUm$(bMbIG8A40rheVGwV#kN}=qPKP~T|sO;G--O^2Og6}%HeraerRn^p09gZT~ zp+rozv_TYq4Dq?__Q$0C_LkgmWRoaco)sKGt>U^y-5 z)7(U#3yd=dNLyGdh6DBz*YL#)f?b@In<5vnG{uC=3|1ZC2lw%Hq5n3nET zI@YC2qt@0N~p;p`kZ7 zCEgQPRoNwysK1krg+)C=MJkaTiw`a4DX9i7nGxdLNWSkk-C3zVxn5j4`<(dORf;P& z2rf#P%A|Ql@vd?g48K}{nvk4hV#`1e)2vJdd+q*@5nJWCa|fcJp9s)o7=jF51jdTv zY!EOo^{pXwKz%9I5eOxir^={7p(df2Nf6>JU*{l0?RQN61R>#|$qF=ok`1sw!qSSNH(n-ETlev`17D$ zPk;?-fXsaJ-xOvQ9hKGtVRB(~3JJ6HV5|!JYP9QaeErA8cl>MJ_^sEtR2mJUU2lTP zOFp@Jm@8}r&r@RICuU?kz#R}^J$z@v_Vb;ec;-FmDlve{1T$T;g=u&^J&0!lFDTMv zBw*&Gg9~+E!D5P_@e#c9!h`&sl&!68@9?{KGFiIQ#PSeIS<)&Du-)Rq#&vYNR7P$D z)z5#!ZMUDeGU1F628|g8&^u;qmprVOt2_XBC){7-0rN5NrJT+E;S1v}sV@o2D8=<) zFn&Bcv!FnYlhY)?Vt`jIpVd;9Y#VRKr0aJ!p_EUPcXalJT|r5kwL<;$vo2Z%8kQRc z;;Fa1exZ#J80L4|YW1h*ZmOVq`m=2f8fC%_HOqomQf(P51~ot&c&9*6m4fN_9}EPk zH?8B+9QWA)J}%pGw=g2pKwe6V4AB2&W`wOMFdYXt$^CyW6L z3J|s#Z%EBI2x(TcPChVi<8q&vT{YYGDO8y6VT@-UShZP%afi5*Kh0r)7}!hDig@5W zj!@c%M^x(Iqn`7vM|G9sFI2|@bH_j0dPJx@x-zPOH1LthX``bV7{^;>{0Xp36qeJ+ z`k!dix&N!x%HX5CS2;&*uH&m&VgP72|8F)JA7bmo3MtC^gR0W7!LNz)l}#erN>2h^+}+;%e9n}p_`TA9 zSAJ19wTg}UN$-j6)+OEk_Yl#ToRb^z6E)vjHh7+F3r2moWpu(tLXBT#6cKvMh-&{Z z1fWC!ed-D z=wu&x{nIgJU*442gDDCk>LbL#zt^<_T^hwhH3-3yKO`|8$1EmV+x_Qv)P zQGX#La6-_!@_7y0B(1wu52@z;-*4!x-*|$_+rX1|Q-9W4QIlZR*~dOWnuPH&#wQ{9 zGHMHN{|#3H%kuvNuaAwv|1)^j*VynognDyL&Vtoavenv8R%V1nM*v z-er%p2>H{bLMW+UuuO_FpGQWgBwL$sYo-_23U+rJRu@|!y$kL(q*6;mT!L)Vf_O&x zi%^L=m?gCfiD&DXVR#7rSf%#jGC+pEdvJzIrEI$yQrV>NkNp!r-4&8OE>q#Z+v-x? zYEr>=$3D{*|YSE;@T0R-7XnJG_mxaNAHbw-~xB$9Miqf;MM)PBA29E+4!>FbV3)U zx*ysxO>Sf%Z+^bFLu;X$F>D|c(tM%}`!bSnJGBPy`Y^owdC9Bjduk6}e>vnayvx~J zy!w8N`lbud=X-yUNO9t>e&n#s>bVP$-i$ZDV5}bLNjm1dmYaXLc8tMg_zKK4*6Zwp zl;j`gsT`DVe0_;B|6=LffjJ|%7BTQI@ZSk6PT*opa^C+zc*Gdi^UQ$sQ$9R<8FTJq zKk^mu5p-fjm@yTdV>j~n8E`(Q&luSM`zqXg0l$cpMf)%277HCq-sUbkrsf@;%LIV0 zyA5%V)bWly1rC8K@ICI|d&vKN70&?Dx>D3z^&ih?|GqwzgZn*yvGGWB;*Xmn1((kG zwBldP$`e?pi9j{&nT4Il@t(vSb>k>@V~goL{QgPpVpo?~N|r-nS?UJ%F@4JyLPa%V z(OuFa20&=S-p29-E{%(mD?@eZyPI{Zo2`(3`a!b~(d%|v(x4jogU|FyrN@WPb$pFh4?c3T8?)FuS@mMhHa1{i080Af2>|C29SCvK4rDJ>5P!>~-4QlpJhFOzm-t z$wgs8q~oxNhnmt#$p_FeCYjF*4H+QJR09!6{ok4jfkGKh#s#FK2+quda;|rDU&SBc z+o30h;mPk;BK(cajNtLtKqwzG;Z{0|6gI=DGFaF0}ep1E8 zkS#n&cgV9?(gmp~*)*tDS4Y0_5*_EoZ{bv!Vh#E(#p#;6yN4CUVE4$WN0EJTpYQ81 z9`4a+XsmLccExe@RDsQDKFAFE0Rf$zovNBurw0=5sOOo?fAh3G+)}@(zz#cwcjI`Q zC!G$-P`#z6m*kqp%ygkTYoboxzMSar>*7oSC`eCEL-$b?5oC~$s0Q{`^n-zl{?7y4 zk1!EB;w_KGsCJ;g^-RrcpOPVUq@w>fLPiJ;nn&?Y?odU)0QbM57X6J*+37vBPsE5L zwH=EWT7MFk{<*B3Q!8&6A;M^T(Iv^W*yMYYxBSetZTY^JJ@PBgVe-yQwdy0l2 z`GcVIRwd_~7cT(p*rWX|Qg@*6UZ#U4$lQK9oE9?9dUIyupMER&kdbt9;{3;qM)h$4 z`CQYUr$K)NW&>JO1gRg$-(7~!XmuDh<$lh*AHur%;K!=1(b&;TH3K`y4F8W!&5v`D zq`2fFDd&%e<9PvWa3@wKW#&HR?|6qMTbJOsZJ%PL*16-oJJpHxKjv%rAM!P_92#oP z=6=>3xVHc)Fx7Hg9#)FUMcnbOegRwyf%T79iw1U?9OVKicYfmmJ!Q`6o(#<*+4QpA z^}CL18rdZcHM7O*gBnIJ%p|YN(H>qT&G`)n#h2Q|smIKs%xq%q72n$J@F|pbZ+M z2sIJtcmR+|5srCWt~F*rCwVW!() zlmd|8z-n|2>c6lu-6e-woi^a5;4+izvF@K&=7ZYrI^G?E8ufg&EHP0n8%!4XK8W2L zC-d}a9(M+j`K5y!ooWSJxo~A-WccvH%SAsG+M6fM7MSY3mr>Woo$|wK2q%qy-j*=` z@eN%&t1R95awS@r%YvV(z7u?zE043Q3Op{(q{iLZle zl^o->4mq}Ghewa&z(-yyKPSA-%C{bWZ|g`Uwi_d$JLQa$e8Gwto*SW|doq9cPjMr1=(FH^fOe)&cmNRpe+LTiH$G-KzL> zlnr6o&Rhqcji_w&-s`;p*BxZ8&1Vy)CnsG>b?rxvPjtwBR~HsIX0h49juTEBa`&*X zlZ;ouyoxz_Gp34nfMTY;pg-hHS0k|A|Gf7e2S-J((B^oX)vt_nuQW%sk33^afm~Xj z3N57pq}I&IF5)^^j?Fu#oqUU@cbOwF_Y>y?%H^e$7Nslfos5&G@XW6i0qo*V#HUBtPoF+T_i(Bj*T8%7VKJ7UMB}x5Nx5n^5w2Y% z&lOk!(B+5Ew-(bYyPMDPi@@9fc7#mojSHCTQAA(hjFshA%zwPV3M(#HtPB^3Udz(^ zQ1fB+20_tWUJ9uAssiT0Sb>21;WwLCLF{i+V*CRa(~+h>2lRNC(*=h3c3gnme$;Z< zLa*|BFEG0ylzpqAJ6*rt>1Sx)WMH>L)!T+}E-7xZkjD%(uFfkrT2_~qmi(Tl9>zGr zxS(yu7~}ox^I^0vyo(LYsR3`7u8b3!F;rb5EAkn}1#p0wKY{b`VKL{Tx%=EQ^#L(& zy^;0q71lt<$SNP>(L^zS3N(FWx-Z}S0saA)5fp=8Vx#35)P?=KNS=~Hy^HNNI7tt1 zPv}(1<_TDz6`oFGSFFJb9aRBv|E0-F(sbCv%L2EaJLU)qLfL`rd%^nP7T#!UTB<5; zK`^7Hv|!#P3Vv14HVpMopU$oZs#=`{J-F82_8-?Gph|gmJ;QV%uTD{Yk_g{u;l{7@ z$9E=tc*9cRqKc=^LGPUEpQ=B?o);?ovw-B@F@!q+OYdzz$ua4xu&`XsAd(dobCiB* ziU2pGQh-Nx7;xd(oI4r$Nfm+`Pnx2s)Eq6}mtaDBEC#icX5qJbq?$Z25C5+F)SF)p zj_m-@%xXPOpkoci}7+)aIkEwk|ZFQwP1>k27OBmPBBFIi9~Z^NP;J^ z&jSI9{RY#aDfN;R7VFaBU8j$9s0YpN-ripAs;h>OUS<3~#pbu5?OZ#hDJr3-6kH4% zjOZD;-MeQ2Yiuks(b8z=-6c}()yR^sV}8_eV*cj=&B4-u^8D68d9(bf8;^Nvjp0$Y zI}Uk<7GJA#U2JS2Pd_o-aw86R#GytsBycm<^%2sK)1tOs3Q?2_fc?rJ)hq%!k1CK!`XYvI#X19axZJ5qBAhi40AWx}P~R-X86wm{}c z;PEYdY{@yqNkq8CW}3?HY&t1JHwc!;s$>!hWPjKXZ=8xq8Naln=BkDNM;+tTHXe8C zKfb-Ghjlk!LbJ0VUqX+!a$|02XP&1OKs(ug=zRr<12nak5ojA57@3;hd#+RE_u=Oi zzDGb3Q64}Lz)%pesLd^F{Y_GckeXeuQ5+h$5saREj3(WY+$g6Mw{4`VcbfM{2cJ_=i)+DVAHN<;q(IOZ*#(vfZ56ZAH;9H#(umv0Ppa=(6iH;Q%ydWrz=Aj!dStl? z*nwyP+UJ2>QgBvSpIMnysmqK+LPk~e%ie$&lus!(>vZHN>fIHzwCE77d;D$io?$1R z=e>#~oF-qUGMP0CHA+|06e4xfIl|HIsEPKe!+PiHi)@rX@vae`ga?_^C+Vo-Xqa0V z3#H3Srimrqy{C(Xi^4!-;wh(4LUHov_vv?gJrU`S1mfe2lg%kX!PM~KVlCru00 zX%BQ|%#A)9VZPMl{*Nk!JUW!A>3APL_3QJ0RI&Y{h4KxVwhx;-M5anFTw0b{L)JGu zy%fl^>C|ipyh92LzxwnWiNT6VO6nT*-_%jNZloxX zCUfbR(uz?)U)osL+LLeMo9#uvbCBl6Vt9Jy(sdeuMdOHd0epi&ve>Y>S(*e6wGIHM zhyIYbjphs*Edd;qcrff^3=J{Ee|`IlUXq8wJFt#!LMKZICAxoy6DA>T0ZbPNCgqe%sUn68Zo;Q zM1Paie|{aX8qs#!{pQu~wG2aCGUj8jP>@%7mR_CAk_f^LI%_UhD+pWTTy9`~x-B94 z>X&T&_p{_w^idYY#ezBs1-at*cTuR>wkDD2YxjV{tA1Sl?$&~V=v)Q;tGn~%cZUIf zq;|v7u@=D2Z!syS2Azu3@g^eY;n1&7pHyZe&tdkD-=KtE-p^h!82|nV)K1U z0AE0Dvi}w#Wm|VUjR(2i`&7;R#&6RR0x1zkoFoEtXH2{J1sSFfXXEJ3(x_YEFSHv( zw!nXVyGp3Ag2qa}{^diCBpokUlA)BiiV1bgn`)^&ClQ61y5u8bQB-4c*5^r)N8v?Y?HzY!zNl-d z%7SjWq$r@N(OM_*JUR6A02FD9oN=ObfLU)n&Wedu97Vj5AcCdv%5-bI{J!46e=khB z1>0M&lfRUM*ORnNgpxEWd5XIEuy{pKgnn;jugHWBvvsQGU#D#ZBjFGiB?sQ+wkiB1 z!L8W~62XcyqlrI84gyIKaMPIczKx8;1b;V9gDoAGm6aS&QL0v?S{8{J2-@-rTwd^P3aB|#xxe6~(ns%QkM{D} zzYimu2|n`>I4I|r_F{M6znaT4+YnuBtb^W&6RoiJw66d!BEGt9ruCuQ@45Mp+?AKx z|K?p2?3iuDkQlIJt>ON#Wn~TbWq2xww?P$v5qomB&W8;6+GBVVo#RO~F#YXoeJKxZ z8pB4AfZP+H1yaznz>$POmVVL&&d%RI^aaaGfD}cb6t~SREK?*ufn)BI^AmqzSqZQS zv~ZVI&KFwvAgART;Ka|#?FN4lL(g#6V;-mj?Fs-dXa-H(N6+|&#XyXqVYt_Ud!AMD zKk54XhZzH#!2u2wVT?M%@jG-v9GYU_$|Tq*|Pf(^8JZ`m8<2v;GiZzFPF*@%!Tb@XNAk>+%JEfST!Z z?Mr~WLxLv#W&QoM>wHYN!r!0YOy=8zPuYBa6x#uWIF2Rcvj1oIy~6Zv; Date: Mon, 11 Sep 2023 11:20:03 -0600 Subject: [PATCH 27/47] The Haagless Horseman --- ...load_with_urlcache_and_split_arguments.yml | 1 + .../certutil_with_decode_argument.yml | 1 + .../endpoint/chcp_command_execution.yml | 1 + ...dless_browser_mockbin_or_mocky_request.yml | 59 +++++++++++++++++++ .../endpoint/headless_browser_usage.yml | 59 +++++++++++++++++++ ...ndows_curl_download_to_suspicious_path.yml | 1 + ...load_with_urlcache_and_split_arguments.yml | 2 + .../certutil_with_decode_argument.yml | 1 + ...ndows_curl_download_to_suspicious_path.yml | 1 + .../ssa___windows_certutil_decode_file.yml | 1 + ...a___windows_certutil_urlcache_download.yml | 1 + stories/forest_blizzard.yml | 20 +++++++ 12 files changed, 148 insertions(+) create mode 100644 detections/endpoint/headless_browser_mockbin_or_mocky_request.yml create mode 100644 detections/endpoint/headless_browser_usage.yml create mode 100644 stories/forest_blizzard.yml diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 422da9cbf9..53066bc4e5 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -39,6 +39,7 @@ tags: - ProxyNotShell - CISA AA22-277A - Flax Typhoon + - Forest Blizzard asset_type: Endpoint confidence: 100 impact: 90 diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index 2c15427702..d96840310f 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -37,6 +37,7 @@ tags: analytic_story: - Deobfuscate-Decode Files or Information - Living Off The Land + - forest Blizzard asset_type: Endpoint confidence: 80 impact: 50 diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index 639afc2d6a..3909c2f918 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -29,6 +29,7 @@ tags: analytic_story: - IcedID - Azorult + - Forest Blizzard asset_type: Endpoint confidence: 30 impact: 30 diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml new file mode 100644 index 0000000000..e93fdb914d --- /dev/null +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -0,0 +1,59 @@ +name: Headless Browser Mockbin or Mocky Request +id: 94fc85a1-e55b-4265-95e1-4b66730e05c0 +version: 1 +date: '2023-09-11' +author: Michael Haag, Splunk +status: production +type: TTP +data_source: +- Sysmon Event ID 1 +description: The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where + (Processes.process=*--headless* AND Processes.process="*--disable-gpu*" AND (Processes.process="*mockbin.org/*" OR Processes.process="*mocky.io/*")) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io. +references: +- https://mockbin.org/ +- https://www.mocky.io/ +tags: + analytic_story: + - Forest Blizzard + asset_type: endpoint + atomic_guid: [] + confidence: 70 + impact: 80 + message: Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$. + mitre_attack_id: + - T1564.003 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 56 + required_fields: + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml new file mode 100644 index 0000000000..964ce84d27 --- /dev/null +++ b/detections/endpoint/headless_browser_usage.yml @@ -0,0 +1,59 @@ +name: Headless Browser Usage +id: 869ba261-c272-47d7-affe-5c0aa85c93d6 +version: 1 +date: '2023-09-08' +author: Michael Haag, Splunk +status: production +type: Hunting +data_source: +- Sysmon Event ID 1 +description: 'The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing.' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where + (Processes.process=*--headless* AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed. +references: +- https://cert.gov.ua/article/5702579 +tags: + analytic_story: + - Forest Blizzard + asset_type: endpoint + atomic_guid: [] + confidence: 50 + impact: 30 + message: Behavior related to headless browser usage detected on $dest$ by $user$. + mitre_attack_id: + - T1564.003 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 15 + required_fields: + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + - sourcetype + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index a8a64525b9..b14f46f8fb 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -37,6 +37,7 @@ tags: analytic_story: - IcedID - Ingress Tool Transfer + - Forest Blizzard asset_type: Endpoint confidence: 100 impact: 80 diff --git a/dev/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/dev/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 19392627e3..981942bedf 100644 --- a/dev/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/dev/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -44,6 +44,8 @@ tags: - Living Off The Land - ProxyNotShell - CISA AA22-277A + - Forest Blizzard + - Flax Typhoon asset_type: Endpoint confidence: 100 impact: 90 diff --git a/dev/endpoint/certutil_with_decode_argument.yml b/dev/endpoint/certutil_with_decode_argument.yml index aa8302e4fd..20b2c1e0ed 100644 --- a/dev/endpoint/certutil_with_decode_argument.yml +++ b/dev/endpoint/certutil_with_decode_argument.yml @@ -40,6 +40,7 @@ tags: analytic_story: - Deobfuscate-Decode Files or Information - Living Off The Land + - Forest Blizzard asset_type: Endpoint confidence: 80 impact: 50 diff --git a/dev/endpoint/windows_curl_download_to_suspicious_path.yml b/dev/endpoint/windows_curl_download_to_suspicious_path.yml index 057eb00a3b..709ce29096 100644 --- a/dev/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/dev/endpoint/windows_curl_download_to_suspicious_path.yml @@ -45,6 +45,7 @@ tags: analytic_story: - IcedID - Ingress Tool Transfer + - Forest Blizzard asset_type: Endpoint confidence: 100 impact: 80 diff --git a/dev_ssa/endpoint/ssa___windows_certutil_decode_file.yml b/dev_ssa/endpoint/ssa___windows_certutil_decode_file.yml index 867a213750..16bcda5348 100644 --- a/dev_ssa/endpoint/ssa___windows_certutil_decode_file.yml +++ b/dev_ssa/endpoint/ssa___windows_certutil_decode_file.yml @@ -37,6 +37,7 @@ tags: analytic_story: - Deobfuscate-Decode Files or Information - Living Off The Land + - Forest Blizzard asset_type: Endpoint confidence: 80 impact: 50 diff --git a/dev_ssa/endpoint/ssa___windows_certutil_urlcache_download.yml b/dev_ssa/endpoint/ssa___windows_certutil_urlcache_download.yml index 3da51c21c3..dc2bec0b09 100644 --- a/dev_ssa/endpoint/ssa___windows_certutil_urlcache_download.yml +++ b/dev_ssa/endpoint/ssa___windows_certutil_urlcache_download.yml @@ -38,6 +38,7 @@ tags: - Ingress Tool Transfer - DarkSide Ransomware - Living Off The Land + - Forest Blizzard asset_type: Endpoint confidence: 100 impact: 90 diff --git a/stories/forest_blizzard.yml b/stories/forest_blizzard.yml new file mode 100644 index 0000000000..9e7163f2d2 --- /dev/null +++ b/stories/forest_blizzard.yml @@ -0,0 +1,20 @@ +name: Forest Blizzard +id: 2c1aceda-f0a5-4c83-8543-e23ec1466958 +version: 1 +date: '2023-09-11' +author: Michael Haag, Splunk +description: CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's "Steal-It" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses. +narrative: APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's "Steal-It" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their "Living Off The Land" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies. +references: +- https://cert.gov.ua/article/5702579 +- https://www.zscaler.com/blogs/security-research/steal-it-campaign +- https://attack.mitre.org/groups/G0007/ +tags: + analytic_story: Forest Blizzard + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection From 545dcb72013bc84c0de4fe548f5929fb8d5560b4 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Mon, 11 Sep 2023 10:42:21 -0700 Subject: [PATCH 28/47] Rename File Name according to the Convention --- ...ndows_find_domain_organizational_units_with_getdomainou.yml} | 2 +- ...dows_find_interesting_acl_with_findinterestingdomainacl.yml} | 2 +- ...ck.yml => windows_forest_discovery_with_getforestdomain.yml} | 2 +- ...ml => windows_get_local_admin_with_findlocaladminaccess.yml} | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) rename detections/endpoint/{get_domainou_with_powershell_script_block.yml => windows_find_domain_organizational_units_with_getdomainou.yml} (97%) rename detections/endpoint/{find_interestingdomainacl_with_powershell_script_block.yml => windows_find_interesting_acl_with_findinterestingdomainacl.yml} (97%) rename detections/endpoint/{get_forestdomain_with_powershell_script_block.yml => windows_forest_discovery_with_getforestdomain.yml} (98%) rename detections/endpoint/{find_localadminaccess_with_powershell_script_block.yml => windows_get_local_admin_with_findlocaladminaccess.yml} (97%) diff --git a/detections/endpoint/get_domainou_with_powershell_script_block.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml similarity index 97% rename from detections/endpoint/get_domainou_with_powershell_script_block.yml rename to detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index 012faf0e6c..4e2210aed0 100644 --- a/detections/endpoint/get_domainou_with_powershell_script_block.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -1,4 +1,4 @@ -name: Get DomainOU with PowerShell Script Block +name: Windows Find Domain Organizational Units with GetDomainOU id: 0ada2f82-b7af-40cc-b1d7-1e5985afcb4e version: 1 date: '2023-08-31' diff --git a/detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml similarity index 97% rename from detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml rename to detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index 6ed44ce890..b2d6bf3477 100644 --- a/detections/endpoint/find_interestingdomainacl_with_powershell_script_block.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -1,4 +1,4 @@ -name: Find InterestingDomainAcl with PowerShell Script Block +name: Windows Find Interesting ACL with FindInterestingDomainAcl id: e4a96dfd-667a-4487-b942-ccef5a1e81e8 version: 1 date: '2023-08-31' diff --git a/detections/endpoint/get_forestdomain_with_powershell_script_block.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml similarity index 98% rename from detections/endpoint/get_forestdomain_with_powershell_script_block.yml rename to detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index 740f2e41f7..ed701ee3c3 100644 --- a/detections/endpoint/get_forestdomain_with_powershell_script_block.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -1,4 +1,4 @@ -name: Get ForestDomain with PowerShell Script Block +name: Windows Forest Discovery with GetForestDomain id: a14803b2-4bd9-4c08-8b57-c37980edebe8 version: 1 date: '2023-08-31' diff --git a/detections/endpoint/find_localadminaccess_with_powershell_script_block.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml similarity index 97% rename from detections/endpoint/find_localadminaccess_with_powershell_script_block.yml rename to detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index 163fbf262c..d9ebd73295 100644 --- a/detections/endpoint/find_localadminaccess_with_powershell_script_block.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -1,4 +1,4 @@ -name: Find LocalAdminAccess with PowerShell Script Block +name: Windows Get Local Admin with FindLocalAdminAccess id: d2988160-3ce9-4310-b59d-905334920cdd version: 1 date: '2023-08-31' From e743b6a4d78d4e25f98316f7569d70f3bb711f42 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Mon, 11 Sep 2023 11:04:20 -0700 Subject: [PATCH 29/47] Update filter --- ...indows_find_domain_organizational_units_with_getdomainou.yml | 2 +- ...ndows_find_interesting_acl_with_findinterestingdomainacl.yml | 2 +- .../endpoint/windows_forest_discovery_with_getforestdomain.yml | 2 +- .../windows_get_local_admin_with_findlocaladminaccess.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index 4e2210aed0..561191558f 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -14,7 +14,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode= search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `get_domainou_with_powershell_script_block_filter`' + | `windows_find_domain_organizational_units_with_getdomainou_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index b2d6bf3477..1bad6fdf3c 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -15,7 +15,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode= search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `find_interestingdomainacl_with_powershell_script_block_filter`' + | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index ed701ee3c3..659a01db89 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -14,7 +14,7 @@ description: This analytic utilizes PowerShell Script Block Logging (EventCode=4 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `get_forestdomain_with_powershell_script_block_filter`' + | `windows_forest_discovery_with_getforestdomain_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index d9ebd73295..72510c9acf 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -15,7 +15,7 @@ search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `find_localadminaccess_with_powershell_script_block_filter`' + | `windows_get_local_admin_with_findlocaladminaccess_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. From f2b06795a6bcf54c405f076068d924326b8cd06b Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Mon, 11 Sep 2023 13:56:10 -0600 Subject: [PATCH 30/47] fixes --- .../endpoint/headless_browser_mockbin_or_mocky_request.yml | 2 +- detections/endpoint/headless_browser_usage.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index e93fdb914d..e41d1cdf11 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -10,7 +10,7 @@ data_source: description: The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where - (Processes.process=*--headless* AND Processes.process="*--disable-gpu*" AND (Processes.process="*mockbin.org/*" OR Processes.process="*mocky.io/*")) by Processes.dest Processes.user Processes.parent_process + (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*" AND (Processes.process="*mockbin.org/*" OR Processes.process="*mocky.io/*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index 964ce84d27..232c97451e 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -10,7 +10,7 @@ data_source: description: 'The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing.' search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where - (Processes.process=*--headless* AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process + (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. From 9ab77032939e7f793e12e6bfd9bb0b32bf44fb45 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Mon, 11 Sep 2023 15:13:54 -0700 Subject: [PATCH 31/47] Added Contributors --- ...indows_find_domain_organizational_units_with_getdomainou.yml | 2 +- ...ndows_find_interesting_acl_with_findinterestingdomainacl.yml | 2 +- .../endpoint/windows_forest_discovery_with_getforestdomain.yml | 2 +- .../windows_get_local_admin_with_findlocaladminaccess.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index 561191558f..bfea1c3c79 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -2,7 +2,7 @@ name: Windows Find Domain Organizational Units with GetDomainOU id: 0ada2f82-b7af-40cc-b1d7-1e5985afcb4e version: 1 date: '2023-08-31' -author: Gowthamaraj Rajendran, Splunk +author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index 1bad6fdf3c..459d1e5e5b 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -2,7 +2,7 @@ name: Windows Find Interesting ACL with FindInterestingDomainAcl id: e4a96dfd-667a-4487-b942-ccef5a1e81e8 version: 1 date: '2023-08-31' -author: Gowthamaraj Rajendran, Splunk +author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index 659a01db89..ed47842bc4 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -2,7 +2,7 @@ name: Windows Forest Discovery with GetForestDomain id: a14803b2-4bd9-4c08-8b57-c37980edebe8 version: 1 date: '2023-08-31' -author: Gowthamaraj Rajendran, Splunk +author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index 72510c9acf..525a0e842d 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -2,7 +2,7 @@ name: Windows Get Local Admin with FindLocalAdminAccess id: d2988160-3ce9-4310-b59d-905334920cdd version: 1 date: '2023-08-31' -author: Gowthamaraj Rajendran, Splunk +author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: From 8fd50e0320b365aa299ee6182b8d8f63e1d3c647 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 11 Sep 2023 17:13:40 -0700 Subject: [PATCH 32/47] adding CVE --- .../application/splunk_edit_user_privilege_escalation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/application/splunk_edit_user_privilege_escalation.yml b/detections/application/splunk_edit_user_privilege_escalation.yml index deacb2d17c..c9a8e4ce5d 100644 --- a/detections/application/splunk_edit_user_privilege_escalation.yml +++ b/detections/application/splunk_edit_user_privilege_escalation.yml @@ -20,7 +20,8 @@ tags: atomic_guid: [] confidence: 80 impact: 80 - cve: [] + cve: + - CVE-2023-32707 message: Possible attempt to abuse edit_user function by $user$ mitre_attack_id: - T1548 From f12ba109e7a0076089c3d4c7fb2a43a23552da36 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Tue, 12 Sep 2023 14:14:10 -0700 Subject: [PATCH 33/47] Update CIM, add macros --- ...domain_organizational_units_with_getdomainou.yml | 13 +++++++------ ...nteresting_acl_with_findinterestingdomainacl.yml | 13 +++++++------ ...indows_forest_discovery_with_getforestdomain.yml | 13 +++++++------ ...ws_get_local_admin_with_findlocaladminaccess.yml | 13 +++++++------ macros/windows_powershell_rename.yml | 3 +++ 5 files changed, 31 insertions(+), 24 deletions(-) create mode 100644 macros/windows_powershell_rename.yml diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index bfea1c3c79..da70b9a2fd 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -12,6 +12,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode= Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies. search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" + | `windows_rename_to_cim` | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`' @@ -29,17 +30,17 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Get-DomainOU was identified on endpoint $Computer$ - by user $UserID$. + message: Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ + by user $user$. mitre_attack_id: - T1087 - T1087.002 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: UserID + - name: user type: User role: - Victim @@ -51,8 +52,8 @@ tags: - _time - EventCode - Message - - ComputerName - - User + - Computer + - UserID risk_score: 25 security_domain: endpoint tests: diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index 459d1e5e5b..9f5a559909 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -13,6 +13,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode= (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory. search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" + | `windows_rename_to_cim` | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' @@ -30,17 +31,17 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $Computer$ - by user $UserID$. + message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ + by user $user$. mitre_attack_id: - T1087 - T1087.002 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: UserID + - name: user type: User role: - Victim @@ -52,8 +53,8 @@ tags: - _time - EventCode - Message - - ComputerName - - User + - Computer + - UserID risk_score: 25 security_domain: endpoint tests: diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index ed47842bc4..4a4e9d5b53 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -12,6 +12,7 @@ description: This analytic utilizes PowerShell Script Block Logging (EventCode=4 is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" + | `windows_rename_to_cim` | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`' @@ -29,17 +30,17 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $Computer$ - by user $UserID$. + message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ + by user $user$. mitre_attack_id: - T1087 - T1087.002 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: UserID + - name: user type: User role: - Victim @@ -51,8 +52,8 @@ tags: - _time - EventCode - Message - - ComputerName - - User + - Computer + - UserID risk_score: 25 security_domain: endpoint tests: diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index 525a0e842d..357ba5f839 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -12,6 +12,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode= Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" + | `windows_rename_to_cim` | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -30,17 +31,17 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $Computer$ - by user $UserID$. + message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ + by user $user$. mitre_attack_id: - T1087 - T1087.002 observable: - - name: Computer + - name: dest type: Hostname role: - Victim - - name: UserID + - name: user type: User role: - Victim @@ -52,8 +53,8 @@ tags: - _time - EventCode - Message - - ComputerName - - User + - Computer + - UserID risk_score: 25 security_domain: endpoint tests: diff --git a/macros/windows_powershell_rename.yml b/macros/windows_powershell_rename.yml new file mode 100644 index 0000000000..c5f454cbd5 --- /dev/null +++ b/macros/windows_powershell_rename.yml @@ -0,0 +1,3 @@ +definition: rename Computer as dest, UserID as user +description: rename windows fields to CIM +name: windows_rename_to_cim \ No newline at end of file From 6a3c737845702c26da70300f8a69d4a165cce6b9 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Tue, 12 Sep 2023 14:39:44 -0700 Subject: [PATCH 34/47] edit macro --- .../{windows_powershell_rename.yml => windows_rename_to_cim.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename macros/{windows_powershell_rename.yml => windows_rename_to_cim.yml} (100%) diff --git a/macros/windows_powershell_rename.yml b/macros/windows_rename_to_cim.yml similarity index 100% rename from macros/windows_powershell_rename.yml rename to macros/windows_rename_to_cim.yml From 1cf276183d3bf2b24954d6f855325f7a58432a66 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 12 Sep 2023 14:41:13 -0700 Subject: [PATCH 35/47] Update windows_ad_abnormal_object_access_activity.yml --- .../endpoint/windows_ad_abnormal_object_access_activity.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index 9e21698a6f..92acf505dc 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -9,13 +9,12 @@ description: Windows Active Directory contains numerous objects. A statistically data_source: - Windows Security 4662 search: '`wineventlog_security` EventCode=4662 -| `windows_ad_abnormal_object_access_filter` | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)`' +| `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`' how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be awaren Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. known_false_positives: Service accounts or applications that routinely query Active Directory for information. references: @@ -54,4 +53,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true \ No newline at end of file + update_timestamp: true From fbc808c1e3c805868451c91824ddde1828ded36b Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 12 Sep 2023 14:41:57 -0700 Subject: [PATCH 36/47] Update windows_ad_privileged_object_access_activity.yml --- .../endpoint/windows_ad_privileged_object_access_activity.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index a91d4c87ab..6ee6a6974c 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -36,7 +36,7 @@ search: '`wineventlog_security` EventCode=4662 ObjectName IN ( | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval user = SubjectUserName, risk_score = case(object_count=1,40,object_count>1,object_count*30,true(),40) -| `windows_ad_privileged_object_access_filter`' +| `windows_ad_privileged_object_access_activity_filter`' how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be aware Splunk filters this event by default on the Windows TA. known_false_positives: Service accounts or applications that routinely query Active Directory for information. references: @@ -79,4 +79,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true \ No newline at end of file + update_timestamp: true From 439cf218eb895112ec41fbb4ff25dd50f29ec95e Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Tue, 12 Sep 2023 17:07:34 -0700 Subject: [PATCH 37/47] Update SPL --- ...indows_find_domain_organizational_units_with_getdomainou.yml | 2 +- ...ndows_find_interesting_acl_with_findinterestingdomainacl.yml | 2 +- .../endpoint/windows_forest_discovery_with_getforestdomain.yml | 2 +- .../windows_get_local_admin_with_findlocaladminaccess.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index da70b9a2fd..c219db4001 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -13,7 +13,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode= potentially aiding in lateral movement or privilege escalation strategies. search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" | `windows_rename_to_cim` - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index 9f5a559909..9ebeba5c7c 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -14,7 +14,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode= Active Directory. search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" | `windows_rename_to_cim` - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index 4a4e9d5b53..39af062361 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -13,7 +13,7 @@ description: This analytic utilizes PowerShell Script Block Logging (EventCode=4 Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" | `windows_rename_to_cim` - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index 357ba5f839..13861b2523 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -13,7 +13,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode= has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" | `windows_rename_to_cim` - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`' From c6b398bd73a719202b5025cff36bd05c702110d7 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 13 Sep 2023 13:58:28 -0700 Subject: [PATCH 38/47] Update windows_ad_abnormal_object_access_activity.yml --- .../endpoint/windows_ad_abnormal_object_access_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index 92acf505dc..b6959b8ba6 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -32,7 +32,7 @@ tags: - T1087.002 observable: - name: user - type: User Name + type: User role: - Victim product: From 4abb1eafe851fb2ce959b6da0c8fb1b499e78ecf Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 13 Sep 2023 14:00:42 -0700 Subject: [PATCH 39/47] Update windows_ad_privileged_object_access_activity.yml --- .../windows_ad_privileged_object_access_activity.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index 6ee6a6974c..376d8485eb 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -54,7 +54,7 @@ tags: - T1087.002 observable: - name: user - type: User Name + type: User role: - Victim - name: object_name @@ -70,7 +70,8 @@ tags: - EventCode - ObjectName - EventCode - - Caller_User_Name + - Computer + - SubjectUserName risk_score: 25 security_domain: endpoint tests: From 69f552393a67b0719509d48f26f1865377c34427 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 13 Sep 2023 14:32:50 -0700 Subject: [PATCH 40/47] Update certutil_with_decode_argument.yml --- detections/endpoint/certutil_with_decode_argument.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index d96840310f..4b7d19f7da 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -37,7 +37,7 @@ tags: analytic_story: - Deobfuscate-Decode Files or Information - Living Off The Land - - forest Blizzard + - Forest Blizzard asset_type: Endpoint confidence: 80 impact: 50 From e623806a7ac4c9809520183080af377e5cc21019 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Thu, 14 Sep 2023 15:45:05 -0400 Subject: [PATCH 41/47] minor fixes --- .../endpoint/windows_ad_abnormal_object_access_activity.yml | 5 +++-- .../windows_ad_privileged_object_access_activity.yml | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index b6959b8ba6..c29605aa9c 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -4,7 +4,7 @@ version: 1 date: '2023-06-01' author: Steven Dick status: production -type: TTP +type: Anomaly description: Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory. data_source: - Windows Security 4662 @@ -15,11 +15,12 @@ search: '`wineventlog_security` EventCode=4662 | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`' -how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be awaren Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. +how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. known_false_positives: Service accounts or applications that routinely query Active Directory for information. references: - https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 +- https://attack.mitre.org/tactics/TA0007/ tags: analytic_story: - Active Directory Discovery diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index 376d8485eb..0bebe89a2b 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -37,11 +37,12 @@ search: '`wineventlog_security` EventCode=4662 ObjectName IN ( | `security_content_ctime(lastTime)` | eval user = SubjectUserName, risk_score = case(object_count=1,40,object_count>1,object_count*30,true(),40) | `windows_ad_privileged_object_access_activity_filter`' -how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be aware Splunk filters this event by default on the Windows TA. +how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. known_false_positives: Service accounts or applications that routinely query Active Directory for information. references: - https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 +- https://attack.mitre.org/tactics/TA0007/ tags: analytic_story: - Active Directory Discovery From df48560256a857c34f5c1d3100140a39f67192e7 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 14 Sep 2023 14:02:06 -0700 Subject: [PATCH 42/47] spl fixes --- ...ain_organizational_units_with_getdomainou.yml | 12 +++--------- ...resting_acl_with_findinterestingdomainacl.yml | 16 ++++------------ ...ows_forest_discovery_with_getforestdomain.yml | 15 ++++----------- ...get_local_admin_with_findlocaladminaccess.yml | 8 ++------ 4 files changed, 13 insertions(+), 38 deletions(-) diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index c219db4001..28d76a25a0 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -7,18 +7,12 @@ status: production type: TTP data_source: - Powershell 4104 -description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. - `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. - Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, - potentially aiding in lateral movement or privilege escalation strategies. +description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies. search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" - | `windows_rename_to_cim` - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs - to be imported. Modify the powershell macro as needed to match the sourcetype or - add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/ diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index 9ebeba5c7c..d2e2188c6d 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -7,19 +7,12 @@ status: production type: TTP data_source: - Powershell 4104 -description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. - `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. - Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists - (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within - Active Directory. +description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory. search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" - | `windows_rename_to_cim` - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs - to be imported. Modify the powershell macro as needed to match the sourcetype or - add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/ @@ -31,8 +24,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ - by user $user$. + message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1087 - T1087.002 diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index 39af062361..16a59f7179 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -7,18 +7,12 @@ status: production type: TTP data_source: - Powershell 4104 -description: This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. - `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` - is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. - Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. +description: This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" - | `windows_rename_to_cim` - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs - to be imported. Modify the powershell macro as needed to match the sourcetype or - add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/ @@ -30,8 +24,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ - by user $user$. + message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1087 - T1087.002 diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index 13861b2523..8b67b57df5 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -7,13 +7,9 @@ status: production type: TTP data_source: - Powershell 4104 -description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. - `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. - Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context - has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. +description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" - | `windows_rename_to_cim` - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`' From a0f7f081e1ecbd1ac9290dd037946a0d8f848567 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 14 Sep 2023 14:29:45 -0700 Subject: [PATCH 43/47] remove macro --- macros/windows_rename_to_cim.yml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 macros/windows_rename_to_cim.yml diff --git a/macros/windows_rename_to_cim.yml b/macros/windows_rename_to_cim.yml deleted file mode 100644 index c5f454cbd5..0000000000 --- a/macros/windows_rename_to_cim.yml +++ /dev/null @@ -1,3 +0,0 @@ -definition: rename Computer as dest, UserID as user -description: rename windows fields to CIM -name: windows_rename_to_cim \ No newline at end of file From e06cfa133d76e154babb121ebaa89251ac0f17ba Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Fri, 15 Sep 2023 10:58:38 -0700 Subject: [PATCH 44/47] Edit how_to_implement for Endpoint.Processes --- ...servers_executing_suspicious_processes.yml | 15 +-- ...n_of_file_with_spaces_before_extension.yml | 13 ++- .../first_time_seen_command_line_argument.yml | 18 ++-- .../deprecated/processes_created_by_netsh.yml | 12 ++- .../prohibited_software_on_endpoint.yml | 54 +++++------ ...de_files_directories_via_registry_keys.yml | 14 ++- ...led_tasks_used_in_badrabbit_ransomware.yml | 14 ++- ...uspicious_changes_to_file_associations.yml | 13 ++- ...ious_powershell_command_line_arguments.yml | 14 ++- .../deprecated/suspicious_rundll32_rename.yml | 14 ++- .../uncommon_processes_on_endpoint.yml | 17 ++-- ...indows_connhost_exe_started_forcefully.yml | 13 ++- .../7zip_commandline_to_smb_share_path.yml | 13 ++- .../account_discovery_with_net_app.yml | 14 ++- .../add_or_set_windows_defender_exclusion.yml | 13 ++- ..._file_and_printing_sharing_in_firewall.yml | 14 ++- .../allow_network_discovery_in_firewall.yml | 14 ++- .../endpoint/anomalous_usage_of_7zip.yml | 12 ++- .../endpoint/any_powershell_downloadfile.yml | 22 +++-- .../any_powershell_downloadstring.yml | 21 +++-- .../endpoint/attacker_tools_on_endpoint.yml | 27 ++++-- ..._to_add_certificate_to_untrusted_store.yml | 33 +++++-- .../attempt_to_stop_security_service.yml | 24 +++-- ...dential_dump_from_registry_via_reg_exe.yml | 14 ++- ...dedit_command_back_to_normal_mode_boot.yml | 13 ++- .../bcdedit_failure_recovery_modification.yml | 12 ++- detections/endpoint/bits_job_persistence.yml | 20 ++-- .../endpoint/bitsadmin_download_file.yml | 22 +++-- ...load_with_urlcache_and_split_arguments.yml | 21 +++-- ...oad_with_verifyctl_and_split_arguments.yml | 21 +++-- .../certutil_exe_certificate_extraction.yml | 20 ++-- .../certutil_with_decode_argument.yml | 21 +++-- ...hange_to_safe_mode_with_network_config.yml | 13 ++- .../endpoint/chcp_command_execution.yml | 22 +++-- .../check_elevated_cmd_using_whoami.yml | 13 ++- .../child_processes_of_spoolsv_exe.yml | 14 ++- ...ar_unallocated_sector_using_cipher_app.yml | 12 ++- .../endpoint/clop_common_exec_parameter.yml | 21 +++-- ...cmd_carry_out_string_command_parameter.yml | 14 ++- .../endpoint/cmd_echo_pipe___escalation.yml | 18 ++-- ...cmdline_tool_not_executed_in_cmd_shell.yml | 14 ++- .../endpoint/conti_common_exec_parameter.yml | 13 ++- ..._loading_from_world_writable_directory.yml | 14 ++- ...ate_local_admin_accounts_using_net_exe.yml | 14 ++- ...or_delete_windows_shares_using_net_exe.yml | 20 ++-- .../endpoint/creation_of_shadow_copy.yml | 13 ++- ...f_shadow_copy_with_wmic_and_powershell.yml | 19 ++-- ...ping_via_copy_command_from_shadow_copy.yml | 19 ++-- ...ial_dumping_via_symlink_to_shadow_copy.yml | 20 ++-- .../csc_net_on_the_fly_compilation.yml | 14 ++- .../curl_download_and_bash_execution.yml | 15 +-- detections/endpoint/deleting_of_net_users.yml | 14 ++- .../endpoint/deleting_shadow_copies.yml | 13 ++- ...tect_azurehound_command_line_arguments.yml | 12 ++- .../detect_certify_command_line_arguments.yml | 42 ++++++--- .../endpoint/detect_html_help_renamed.yml | 14 ++- .../detect_html_help_spawn_child_process.yml | 12 ++- .../detect_html_help_url_in_command_line.yml | 14 ++- ...l_help_using_infotech_storage_handlers.yml | 14 ++- .../detect_mshta_inline_hta_execution.yml | 14 ++- detections/endpoint/detect_mshta_renamed.yml | 14 ++- .../detect_mshta_url_in_command_line.yml | 14 ++- ...nterception_by_creation_of_program_exe.yml | 14 ++- ...system_network_configuration_discovery.yml | 15 +-- ...ohibited_applications_spawning_cmd_exe.yml | 18 ++-- .../detect_psexec_with_accepteula_flag.yml | 14 ++- .../endpoint/detect_rare_executables.yml | 18 ++-- .../detect_rclone_command_line_usage.yml | 14 ++- .../detect_regasm_spawning_a_process.yml | 12 ++- ..._regasm_with_no_command_line_arguments.yml | 14 ++- .../detect_regsvcs_spawning_a_process.yml | 12 ++- ...regsvcs_with_no_command_line_arguments.yml | 14 ++- ...ct_regsvr32_application_control_bypass.yml | 14 ++- detections/endpoint/detect_renamed_7_zip.yml | 12 ++- detections/endpoint/detect_renamed_psexec.yml | 14 ++- detections/endpoint/detect_renamed_rclone.yml | 14 ++- detections/endpoint/detect_renamed_winrar.yml | 14 ++- .../endpoint/detect_rtlo_in_process.yml | 48 +++++----- ...2_application_control_bypass___advpack.yml | 14 ++- ..._application_control_bypass___setupapi.yml | 12 ++- ..._application_control_bypass___syssetup.yml | 14 ++- .../detect_rundll32_inline_hta_execution.yml | 14 ++- ...tect_sharphound_command_line_arguments.yml | 12 ++- .../endpoint/detect_sharphound_usage.yml | 14 ++- ...ssnames_using_pretrained_model_in_dsdl.yml | 94 +++++++------------ ..._cmd_exe_to_launch_script_interpreters.yml | 13 ++- .../detect_webshell_exploit_behavior.yml | 14 ++- .../detection_of_tools_built_by_nirsoft.yml | 13 ++- ...disable_defender_enhanced_notification.yml | 13 ++- .../endpoint/disable_logs_using_wevtutil.yml | 13 ++- detections/endpoint/disable_schedule_task.yml | 13 ++- .../disabling_firewall_with_netsh.yml | 14 ++- .../endpoint/disabling_net_user_account.yml | 14 ++- ...curity_authority_defences_via_registry.yml | 38 ++++---- ...no_command_line_arguments_with_network.yml | 12 ++- .../dns_exfiltration_using_nslookup_app.yml | 13 ++- .../domain_account_discovery_with_dsquery.yml | 13 ++- .../domain_account_discovery_with_net_app.yml | 13 ++- .../domain_account_discovery_with_wmic.yml | 13 ++- ...omain_controller_discovery_with_nltest.yml | 12 ++- .../domain_controller_discovery_with_wmic.yml | 12 ++- .../domain_group_discovery_with_dsquery.yml | 12 ++- .../domain_group_discovery_with_net.yml | 12 ++- .../domain_group_discovery_with_wmic.yml | 12 ++- .../endpoint/dsquery_domain_discovery.yml | 12 ++- .../endpoint/dump_lsass_via_comsvcs_dll.yml | 37 ++++++-- .../endpoint/dump_lsass_via_procdump.yml | 14 ++- .../elevated_group_discovery_with_net.yml | 12 ++- .../elevated_group_discovery_with_wmic.yml | 12 ++- detections/endpoint/esentutl_sam_copy.yml | 14 ++- detections/endpoint/eventvwr_uac_bypass.yml | 13 ++- .../endpoint/excel_spawning_powershell.yml | 14 ++- .../excel_spawning_windows_script_host.yml | 12 ++- .../excessive_attempt_to_disable_services.yml | 13 ++- ...e_distinct_processes_from_windows_temp.yml | 13 ++- ...r_of_service_control_start_as_disabled.yml | 14 ++- ...excessive_number_of_taskhost_processes.yml | 12 ++- .../excessive_service_stop_attempt.yml | 14 ++- .../endpoint/excessive_usage_of_cacls_app.yml | 12 ++- .../endpoint/excessive_usage_of_net_app.yml | 14 ++- .../endpoint/excessive_usage_of_taskkill.yml | 13 ++- ...cute_javascript_with_jscript_com_clsid.yml | 12 ++- ...ution_of_file_with_multiple_extensions.yml | 12 ++- .../endpoint/extraction_of_registry_hives.yml | 12 ++- .../firewall_allowed_program_enable.yml | 14 ++- .../first_time_seen_child_process_of_zoom.yml | 17 ++-- detections/endpoint/fodhelper_uac_bypass.yml | 12 ++- detections/endpoint/fsutil_zeroing_file.yml | 13 ++- ...ltdomainpasswordpolicy_with_powershell.yml | 13 ++- .../endpoint/get_aduser_with_powershell.yml | 13 ++- ...esultantpasswordpolicy_with_powershell.yml | 13 ++- .../get_domainpolicy_with_powershell.yml | 13 ++- .../get_domaintrust_with_powershell.yml | 14 ++- .../get_domainuser_with_powershell.yml | 13 ++- .../get_foresttrust_with_powershell.yml | 14 ++- .../get_wmiobject_group_discovery.yml | 14 ++- .../getadcomputer_with_powershell.yml | 12 ++- .../endpoint/getadgroup_with_powershell.yml | 12 ++- .../getcurrent_user_with_powershell.yml | 12 ++- .../getdomaincomputer_with_powershell.yml | 12 ++- .../getdomaincontroller_with_powershell.yml | 12 ++- .../getdomaingroup_with_powershell.yml | 12 ++- .../endpoint/getlocaluser_with_powershell.yml | 12 ++- .../getnettcpconnection_with_powershell.yml | 12 ++- ...twmiobject_ds_computer_with_powershell.yml | 12 ++- .../getwmiobject_ds_group_with_powershell.yml | 12 ++- .../getwmiobject_ds_user_with_powershell.yml | 13 ++- ...wmiobject_user_account_with_powershell.yml | 12 ++- ...no_command_line_arguments_with_network.yml | 12 ++- ..._files_and_directories_with_attrib_exe.yml | 14 ++- .../hunting_3cxdesktopapp_software.yml | 50 ++++++---- detections/endpoint/icacls_deny_command.yml | 38 ++++---- detections/endpoint/icacls_grant_command.yml | 39 ++++---- ...ateral_movement_commandline_parameters.yml | 12 ++- ...ovement_smbexec_commandline_parameters.yml | 14 ++- ...ovement_wmiexec_commandline_parameters.yml | 14 ++- .../jscript_execution_using_cscript_app.yml | 13 ++- .../endpoint/linux_add_user_account.yml | 13 ++- ...ux_adding_crontab_using_list_parameter.yml | 28 +++++- .../linux_apt_get_privilege_escalation.yml | 13 ++- .../linux_apt_privilege_escalation.yml | 13 ++- .../linux_at_application_execution.yml | 37 ++++++-- .../linux_awk_privilege_escalation.yml | 13 ++- .../linux_busybox_privilege_escalation.yml | 13 ++- .../linux_c89_privilege_escalation.yml | 13 ++- .../linux_c99_privilege_escalation.yml | 13 ++- .../linux_change_file_owner_to_root.yml | 13 ++- .../endpoint/linux_clipboard_data_copy.yml | 14 ++- ...x_common_process_for_elevation_control.yml | 13 ++- .../linux_composer_privilege_escalation.yml | 13 ++- .../linux_cpulimit_privilege_escalation.yml | 13 ++- .../linux_csvtool_privilege_escalation.yml | 13 ++- .../endpoint/linux_curl_upload_file.yml | 14 ++- .../linux_data_destruction_command.yml | 13 ++- .../endpoint/linux_dd_file_overwrite.yml | 13 ++- .../endpoint/linux_decode_base64_to_shell.yml | 14 ++- ...ng_critical_directory_using_rm_command.yml | 13 ++- .../endpoint/linux_disable_services.yml | 13 ++- .../endpoint/linux_doas_tool_execution.yml | 13 ++- .../linux_docker_privilege_escalation.yml | 13 ++- .../linux_edit_cron_table_parameter.yml | 33 +++++-- .../linux_emacs_privilege_escalation.yml | 13 ++- .../linux_find_privilege_escalation.yml | 13 ++- .../linux_gdb_privilege_escalation.yml | 13 ++- .../linux_gem_privilege_escalation.yml | 13 ++- .../linux_gnu_awk_privilege_escalation.yml | 13 ++- .../linux_hardware_addition_swapoff.yml | 13 ++- .../linux_impair_defenses_process_kill.yml | 13 ++- .../linux_indicator_removal_clear_cache.yml | 13 ++- ...ndicator_removal_service_file_deletion.yml | 13 ++- .../linux_ingress_tool_transfer_hunting.yml | 14 ++- .../linux_ingress_tool_transfer_with_curl.yml | 14 ++- ...ert_kernel_module_using_insmod_utility.yml | 13 ++- ...l_kernel_module_using_modprobe_utility.yml | 13 ++- .../linux_iptables_firewall_modification.yml | 13 ++- .../endpoint/linux_java_spawning_shell.yml | 14 ++- .../linux_kernel_module_enumeration.yml | 14 ++- ...orker_process_in_writable_process_path.yml | 13 ++- .../linux_make_privilege_escalation.yml | 13 ++- .../linux_mysql_privilege_escalation.yml | 13 ++- .../linux_ngrok_reverse_proxy_usage.yml | 13 ++- .../linux_node_privilege_escalation.yml | 13 ++- .../linux_nopasswd_entry_in_sudoers_file.yml | 13 ++- ...ted_files_or_information_base64_decode.yml | 14 ++- .../linux_octave_privilege_escalation.yml | 13 ++- .../linux_openvpn_privilege_escalation.yml | 13 ++- .../linux_php_privilege_escalation.yml | 13 ++- .../linux_pkexec_privilege_escalation.yml | 17 ++-- ...ss_or_modification_of_sshd_config_file.yml | 13 ++- ...ux_possible_access_to_credential_files.yml | 13 ++- .../linux_possible_access_to_sudoers_file.yml | 13 ++- ...append_command_to_at_allow_config_file.yml | 24 +++-- ..._append_command_to_profile_config_file.yml | 13 ++- ...cronjob_entry_on_existing_cronjob_file.yml | 34 +++++-- ...sible_cronjob_modification_with_editor.yml | 36 +++++-- .../linux_preload_hijack_library_calls.yml | 13 ++- .../endpoint/linux_proxy_socks_curl.yml | 14 ++- .../linux_puppet_privilege_escalation.yml | 13 ++- .../linux_rpm_privilege_escalation.yml | 13 ++- .../linux_ruby_privilege_escalation.yml | 13 ++- .../endpoint/linux_service_restarted.yml | 33 +++++-- .../linux_service_started_or_enabled.yml | 24 ++++- .../linux_setuid_using_chmod_utility.yml | 13 ++- .../linux_setuid_using_setcap_utility.yml | 13 ++- .../linux_shred_overwrite_command.yml | 13 ++- .../linux_sqlite3_privilege_escalation.yml | 13 ++- ...linux_ssh_authorized_keys_modification.yml | 14 ++- ...nux_ssh_remote_services_script_execute.yml | 25 +++-- ...ux_stdout_redirection_to_dev_null_file.yml | 13 ++- detections/endpoint/linux_stop_services.yml | 13 ++- .../endpoint/linux_sudo_or_su_execution.yml | 13 ++- .../linux_system_network_discovery.yml | 13 ++- ...x_system_reboot_via_system_request_key.yml | 13 ++- ..._unix_shell_enable_all_sysrq_functions.yml | 13 ++- .../linux_visudo_utility_execution.yml | 13 ++- .../local_account_discovery_with_net.yml | 12 ++- .../local_account_discovery_with_wmic.yml | 12 ++- .../macos___re_opened_applications.yml | 14 ++- .../malicious_inprocserver32_modification.yml | 14 ++- ...s_powershell_process___encoded_command.yml | 14 ++- ...hell_process___execution_policy_bypass.yml | 14 ++- ...ll_process_with_obfuscation_techniques.yml | 14 ++- ...z_passtheticket_commandline_parameters.yml | 13 ++- .../mmc_lolbas_execution_process_spawn.yml | 12 ++- ...dify_acl_permission_to_files_or_folder.yml | 13 ++- ...d_suspicious_spawned_by_script_process.yml | 14 ++- ..._spawning_rundll32_or_regsvr32_process.yml | 14 ++- .../endpoint/net_localgroup_discovery.yml | 14 ++- .../network_connection_discovery_with_arp.yml | 12 ++- .../network_connection_discovery_with_net.yml | 12 ++- ...work_connection_discovery_with_netstat.yml | 12 ++- ...work_discovery_using_route_windows_app.yml | 14 ++- .../endpoint/nishang_powershelltcponeline.yml | 14 ++- .../nltest_domain_trust_discovery.yml | 12 ++- ...notepad_with_no_command_line_arguments.yml | 46 ++++++--- detections/endpoint/ntdsutil_export_ntds.yml | 13 ++- ...ice_application_spawn_regsvr32_process.yml | 14 ++- ...ice_application_spawn_rundll32_process.yml | 14 ++- ...ment_spawned_child_process_to_download.yml | 27 +++--- .../office_product_spawn_cmd_process.yml | 24 +++-- .../office_product_spawning_bitsadmin.yml | 22 +++-- .../office_product_spawning_certutil.yml | 24 +++-- .../office_product_spawning_mshta.yml | 22 +++-- ..._product_spawning_rundll32_with_no_dll.yml | 20 ++-- ...e_product_spawning_windows_script_host.yml | 23 +++-- .../endpoint/office_product_spawning_wmic.yml | 24 +++-- .../endpoint/office_spawning_control.yml | 14 ++- ...nnection_from_java_using_default_ports.yml | 12 ++- .../password_policy_discovery_with_net.yml | 13 ++- ...mission_modification_using_takeown_app.yml | 13 ++- .../endpoint/ping_sleep_batch_command.yml | 13 ++- .../possible_browser_pass_view_parameter.yml | 13 ++- ...ible_lateral_movement_powershell_spawn.yml | 23 ++++- ...entially_malicious_code_on_commandline.yml | 14 ++- ...connect_to_internet_with_hidden_window.yml | 14 ++- ...powershell_disable_security_monitoring.yml | 22 +++-- .../powershell_get_localgroup_discovery.yml | 14 ++- .../powershell_start_bitstransfer.yml | 14 ++- ...nt_automatic_repair_mode_using_bcdedit.yml | 13 ++- .../endpoint/process_execution_via_wmi.yml | 13 ++- .../process_kill_base_on_file_path.yml | 14 ++- .../endpoint/processes_launching_netsh.yml | 14 ++- ...rsive_delete_of_directory_in_batch_cmd.yml | 14 ++- ...ulating_windows_services_registry_keys.yml | 15 +-- ...2_silent_and_install_param_dll_loading.yml | 14 ++- ...svr32_with_known_silent_switch_cmdline.yml | 14 ++- .../remcos_client_registry_install_entry.yml | 13 ++- ...mote_desktop_process_running_on_system.yml | 17 ++-- ..._instantiation_via_dcom_and_powershell.yml | 12 ++- ...instantiation_via_winrm_and_powershell.yml | 12 ++- ...cess_instantiation_via_winrm_and_winrs.yml | 12 ++- .../remote_process_instantiation_via_wmi.yml | 14 ++- ...s_instantiation_via_wmi_and_powershell.yml | 12 ++- .../remote_system_discovery_with_dsquery.yml | 12 ++- .../remote_system_discovery_with_net.yml | 12 ++- .../remote_system_discovery_with_wmic.yml | 12 ++- .../endpoint/remote_wmi_command_attempt.yml | 15 +-- .../endpoint/resize_shadowstorage_volume.yml | 13 ++- .../endpoint/revil_common_exec_parameter.yml | 13 ++- detections/endpoint/revil_registry_entry.yml | 13 ++- .../rubeus_command_line_parameters.yml | 13 ++- .../runas_execution_in_commandline.yml | 14 ++- .../endpoint/rundll32_control_rundll_hunt.yml | 14 ++- ...ontrol_rundll_world_writable_directory.yml | 14 ++- .../endpoint/rundll32_lockworkstation.yml | 13 ++- .../endpoint/rundll32_shimcache_flush.yml | 14 ++- ...no_command_line_arguments_with_network.yml | 16 ++-- .../rundll_loading_dll_by_ordinal.yml | 14 ++- .../endpoint/ryuk_wake_on_lan_command.yml | 12 ++- .../sc_exe_manipulating_windows_services.yml | 12 ++- ...k_creation_on_remote_endpoint_using_at.yml | 29 +++++- ...eduled_task_deleted_or_created_via_cmd.yml | 34 ++++--- ...led_task_initiation_on_remote_endpoint.yml | 21 ++++- .../endpoint/schtasks_run_task_on_demand.yml | 24 +++-- ...htasks_scheduling_job_on_remote_system.yml | 27 ++++-- .../schtasks_used_for_forcing_a_reboot.yml | 28 ++++-- .../endpoint/script_execution_via_wmi.yml | 26 ++++- detections/endpoint/sdclt_uac_bypass.yml | 13 ++- .../sdelete_application_execution.yml | 14 ++- ...host_with_no_command_line_with_network.yml | 12 ++- .../secretdumps_offline_ntds_dumping_tool.yml | 13 ++- ...ceprincipalnames_discovery_with_setspn.yml | 14 ++- detections/endpoint/services_escalate_exe.yml | 11 ++- ...ervices_lolbas_execution_process_spawn.yml | 12 ++- ...ution_policy_to_unrestricted_or_bypass.yml | 13 ++- ...nstallation_with_suspicious_parameters.yml | 14 ++- .../endpoint/silentcleanup_uac_bypass.yml | 13 ++- .../single_letter_process_on_endpoint.yml | 14 ++- detections/endpoint/slui_runas_elevated.yml | 12 ++- .../endpoint/slui_spawning_a_process.yml | 12 ++- .../endpoint/spoolsv_spawning_rundll32.yml | 14 ++- .../endpoint/suspicious_copy_on_system32.yml | 34 +++---- .../suspicious_curl_network_connection.yml | 12 ++- ...ious_dllhost_no_command_line_arguments.yml | 14 ++- ...ous_gpupdate_no_command_line_arguments.yml | 13 ++- .../suspicious_icedid_rundll32_cmdline.yml | 14 ++- .../suspicious_linux_discovery_commands.yml | 12 ++- ...ous_microsoft_workflow_compiler_rename.yml | 14 ++- ...ious_microsoft_workflow_compiler_usage.yml | 14 ++- .../endpoint/suspicious_msbuild_path.yml | 14 ++- .../endpoint/suspicious_msbuild_rename.yml | 14 ++- .../endpoint/suspicious_msbuild_spawn.yml | 14 ++- .../suspicious_mshta_child_process.yml | 13 ++- .../endpoint/suspicious_mshta_spawn.yml | 14 ++- .../endpoint/suspicious_plistbuddy_usage.yml | 12 ++- ...ss_executed_from_container_file_filter.yml | 42 ++++++--- .../endpoint/suspicious_process_file_path.yml | 26 +++-- .../endpoint/suspicious_reg_exe_process.yml | 17 ++-- ...ious_regsvr32_register_suspicious_path.yml | 38 ++++---- .../suspicious_rundll32_dllregisterserver.yml | 18 ++-- ...ous_rundll32_no_command_line_arguments.yml | 14 ++- .../suspicious_rundll32_plugininit.yml | 14 ++- .../endpoint/suspicious_rundll32_startw.yml | 14 ++- ...s_scheduled_task_from_public_directory.yml | 29 ++++-- ...protocolhost_no_command_line_arguments.yml | 14 ++- ...spicious_sqlite3_lsquarantine_behavior.yml | 12 ++- .../endpoint/suspicious_wevtutil_usage.yml | 14 ++- ...svchost_lolbas_execution_process_spawn.yml | 24 ++++- ...nfo_gathering_using_dxdiag_application.yml | 14 ++- ...system_information_discovery_detection.yml | 12 ++- ...rocesses_run_from_unexpected_locations.yml | 12 ++- .../system_user_discovery_with_query.yml | 12 ++- .../system_user_discovery_with_whoami.yml | 12 ++- .../endpoint/uninstall_app_using_msiexec.yml | 13 ++- ...wn_process_using_the_kerberos_protocol.yml | 11 ++- .../endpoint/unload_sysmon_filter_driver.yml | 15 +-- .../endpoint/unusually_long_command_line.yml | 13 ++- .../unusually_long_command_line___mltk.yml | 19 ++-- ...ser_discovery_with_env_vars_powershell.yml | 12 ++- detections/endpoint/usn_journal_deletion.yml | 14 ++- .../vbscript_execution_using_wscript_app.yml | 14 ++- .../endpoint/verclsid_clsid_execution.yml | 14 ++- detections/endpoint/w3wp_spawning_shell.yml | 14 ++- .../wbadmin_delete_system_backups.yml | 12 ++- ...cess_spawned_cmd_or_powershell_process.yml | 14 ++- .../wget_download_and_bash_execution.yml | 15 +-- .../windows_ad_dsrm_account_changes.yml | 41 ++++---- detections/endpoint/windows_adfind_exe.yml | 12 ++- .../windows_apache_benchmark_binary.yml | 14 ++- ...roxy_execution_mavinject_dll_injection.yml | 14 ++- .../windows_bypass_uac_via_pkgmgr_tool.yml | 43 ++++++--- ...ws_cached_domain_credentials_reg_query.yml | 13 ++- ...fault_file_association_for_no_file_ext.yml | 15 +-- ..._hijacking_inprocserver32_modification.yml | 14 ++- ...ing_interpreter_hunting_path_traversal.yml | 14 ++- ...ipting_interpreter_path_traversal_exec.yml | 14 ++- ...s_command_shell_dcrat_forkbomb_payload.yml | 14 ++- ...dows_command_shell_fetch_env_variables.yml | 14 ++- ...ential_dumping_lsass_memory_createdump.yml | 14 ++- ...credentials_from_password_stores_query.yml | 13 ++- ...dows_credentials_in_registry_reg_query.yml | 13 ++- ...ndows_curl_download_to_suspicious_path.yml | 14 ++- ...dows_curl_upload_to_remote_destination.yml | 14 ++- ...group_policy_object_modified_with_gpme.yml | 52 ++++++---- ...ry_by_a_non_critical_process_file_path.yml | 13 ++- ...ows_event_logging_disable_http_logging.yml | 14 ++- .../endpoint/windows_diskcryptor_usage.yml | 14 ++- .../windows_diskshadow_proxy_execution.yml | 14 ++- .../endpoint/windows_dism_remove_defender.yml | 14 ++- ...indows_dll_search_order_hijacking_hunt.yml | 15 +-- ...l_search_order_hijacking_with_iscsicpl.yml | 14 ++- ...dll_side_loading_process_child_of_calc.yml | 37 +++++--- .../windows_dns_gather_network_info.yml | 39 +++++--- ...ows_dotnet_binary_in_non_standard_path.yml | 14 ++- ...s_execute_arbitrary_commands_with_msdt.yml | 14 ++- ..._access_rights_modification_via_icacls.yml | 44 +++++---- .../windows_findstr_gpp_discovery.yml | 45 +++++---- .../windows_identify_protocol_handlers.yml | 14 ++- .../windows_iis_components_add_new_module.yml | 15 +-- ...impair_defense_add_xml_applocker_rules.yml | 14 ++- ...ndirect_command_execution_via_forfiles.yml | 13 ++- ..._indirect_command_execution_via_pcalua.yml | 13 ++- ...mmand_execution_via_series_of_forfiles.yml | 15 +-- .../windows_information_discovery_fsutil.yml | 13 ++- ...s_ingress_tool_transfer_using_explorer.yml | 14 ++- ...ndows_installutil_in_non_standard_path.yml | 14 ++- ..._installutil_remote_network_connection.yml | 14 ++- .../windows_installutil_uninstall_option.yml | 14 ++- ...tallutil_uninstall_option_with_network.yml | 14 ++- ...indows_installutil_url_in_command_line.yml | 14 ++- .../endpoint/windows_java_spawning_shells.yml | 15 +-- .../windows_lateral_tool_transfer_remcom.yml | 42 ++++++--- ...ndows_ldifde_directory_object_behavior.yml | 60 ++++++++---- ...masquerading_explorer_as_child_process.yml | 14 ++- .../windows_mimikatz_binary_execution.yml | 14 ++- ...y_registry_qakbot_binary_data_registry.yml | 13 ++- .../windows_modify_registry_reg_restore.yml | 13 ++- ...ify_registry_regedit_silent_reg_import.yml | 14 ++- ..._mof_event_triggered_execution_via_wmi.yml | 14 ++- .../windows_msiexec_dllregisterserver.yml | 14 ++- .../windows_msiexec_remote_download.yml | 14 ++- ...indows_msiexec_spawn_discovery_command.yml | 14 ++- ...s_msiexec_unregister_dllregisterserver.yml | 14 ++- ...ndows_msiexec_with_network_connections.yml | 16 ++-- .../windows_ngrok_reverse_proxy_usage.yml | 14 ++- .../endpoint/windows_nirsoft_advancedrun.yml | 14 ++- .../endpoint/windows_nirsoft_utilities.yml | 14 ++- .../endpoint/windows_odbcconf_hunting.yml | 14 ++- .../endpoint/windows_odbcconf_load_dll.yml | 14 ++- .../windows_odbcconf_load_response_file.yml | 14 ++- .../windows_office_product_spawning_msdt.yml | 14 ++- .../windows_papercut_ng_spawn_shell.yml | 42 ++++++--- .../windows_password_managers_discovery.yml | 13 ++- ...ws_phishing_pdf_file_executes_url_link.yml | 14 ++- .../windows_powershell_remotesigned_file.yml | 48 +++++----- .../windows_private_keys_discovery.yml | 13 ++- ...process_injection_wermgr_child_process.yml | 14 ++- ...ows_process_with_namedpipe_commandline.yml | 13 ++- .../windows_protocol_tunneling_with_plink.yml | 14 ++- .../endpoint/windows_proxy_via_netsh.yml | 38 ++++---- .../windows_query_registry_reg_save.yml | 13 ++- ...indows_raccine_scheduled_task_deletion.yml | 14 ++- .../windows_rasautou_dll_execution.yml | 14 ++- .../windows_registry_payload_injection.yml | 62 ++++++++---- .../windows_regsvr32_renamed_binary.yml | 14 ++- .../windows_remote_access_software_hunt.yml | 14 ++- ...ows_remote_assistance_spawning_process.yml | 14 ++- .../windows_remote_create_service.yml | 43 ++++++--- ...remote_service_rdpwinst_tool_execution.yml | 14 ++- ..._remote_services_allow_rdp_in_firewall.yml | 13 ++- .../windows_rundll32_webdav_request.yml | 51 ++++++---- ...undll32_webdav_with_network_connection.yml | 64 ++++++++----- ...windows_scheduled_task_created_via_xml.yml | 51 ++++++---- ...s_scheduled_task_service_spawned_shell.yml | 50 ++++++---- ...scheduled_task_with_highest_privileges.yml | 30 ++++-- .../windows_schtasks_create_run_as_system.yml | 24 +++-- ...ndows_security_account_manager_stopped.yml | 13 ++- ...ws_security_support_provider_reg_query.yml | 13 ++- ...tware_component_gacutil_install_to_gac.yml | 14 ++- ...dows_service_create_kernel_mode_driver.yml | 14 ++- .../windows_service_create_with_tscon.yml | 56 ++++++++--- ...ws_service_creation_on_remote_endpoint.yml | 12 ++- ..._service_initiation_on_remote_endpoint.yml | 12 ++- .../windows_service_stop_by_deletion.yml | 13 ++- ...rvice_stop_via_net__and_sc_application.yml | 14 ++- ...hishing_attachment_onenote_spawn_mshta.yml | 14 ++- .../windows_sql_spawning_certutil.yml | 49 ++++++++-- ...ntication_certificates_certutil_backup.yml | 14 ++- ...cation_certificates_export_certificate.yml | 13 ++- ...ion_certificates_export_pfxcertificate.yml | 13 ++- ..._steal_or_forge_kerberos_tickets_klist.yml | 13 ++- ...execution_compiled_html_file_decompile.yml | 14 ++- ...s_system_discovery_using_ldap_nslookup.yml | 14 ++- ...windows_system_discovery_using_qwinsta.yml | 14 ++- .../windows_system_logoff_commandline.yml | 14 ++- ...m_network_config_discovery_display_dns.yml | 13 ++- ...em_network_connections_discovery_netsh.yml | 13 ++- .../windows_system_reboot_commandline.yml | 14 ++- ...oxy_execution_syncappvpublishingserver.yml | 14 ++- .../windows_system_shutdown_commandline.yml | 46 +++++---- ...dows_system_time_discovery_w32tm_delay.yml | 14 ++- ...indows_system_user_discovery_via_quser.yml | 13 ++- ...id_account_with_never_expires_password.yml | 13 ++- ...inlogon_with_public_network_connection.yml | 83 ++++++++++------ .../windows_wmi_process_and_service_list.yml | 13 ++- .../windows_wmi_process_call_create.yml | 13 ++- .../endpoint/winhlp32_spawning_a_process.yml | 14 ++- .../winrar_spawning_shell_application.yml | 48 ++++++++-- .../endpoint/winrm_spawning_a_process.yml | 12 ++- detections/endpoint/winword_spawning_cmd.yml | 14 ++- .../endpoint/winword_spawning_powershell.yml | 14 ++- .../winword_spawning_windows_script_host.yml | 12 ++- detections/endpoint/wmic_group_discovery.yml | 14 ++- ...wmic_noninteractive_app_uninstallation.yml | 14 ++- .../endpoint/wmic_xsl_execution_via_url.yml | 14 ++- ...miprsve_lolbas_execution_process_spawn.yml | 12 ++- ...pt_or_cscript_suspicious_child_process.yml | 13 ++- ...rovhost_lolbas_execution_process_spawn.yml | 12 ++- detections/endpoint/wsreset_uac_bypass.yml | 13 ++- .../xsl_script_execution_with_wmic.yml | 13 ++- 510 files changed, 5750 insertions(+), 2900 deletions(-) diff --git a/detections/application/web_servers_executing_suspicious_processes.yml b/detections/application/web_servers_executing_suspicious_processes.yml index e03cf5122c..fe35ccdfb6 100644 --- a/detections/application/web_servers_executing_suspicious_processes.yml +++ b/detections/application/web_servers_executing_suspicious_processes.yml @@ -15,12 +15,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. In addition, web servers will need to be identified in the Assets and Identity - Framework of Enterprise Security. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks. references: [] diff --git a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml index 06989ed43c..2b512d11e3 100644 --- a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml +++ b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml @@ -15,10 +15,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces where Processes.process = "* .*" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records process activity from your hosts to populate the endpoint data model - in the processes node. If you are using Sysmon, you must have at least version 6.0.4 - of the Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified. references: [] tags: diff --git a/detections/deprecated/first_time_seen_command_line_argument.yml b/detections/deprecated/first_time_seen_command_line_argument.yml index 2207d91d3e..3094fd5e77 100644 --- a/detections/deprecated/first_time_seen_command_line_argument.yml +++ b/detections/deprecated/first_time_seen_command_line_argument.yml @@ -21,15 +21,15 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` ' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must be ingesting - logs with both the process name and command line from your endpoints. The complete - process name with command-line arguments are mapped to the "process" field in the - Endpoint data model. Please make sure you run the support search "Previously seen - command line arguments,"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a - historical baseline of all command-line arguments. You must also validate this list. - For the search to do accurate calculation, ensure the search scheduling is the same - value as the `relative_time` evaluation function. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` diff --git a/detections/deprecated/processes_created_by_netsh.yml b/detections/deprecated/processes_created_by_netsh.yml index 80e09f91cb..3ecfc79310 100644 --- a/detections/deprecated/processes_created_by_netsh.yml +++ b/detections/deprecated/processes_created_by_netsh.yml @@ -19,9 +19,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude "C:\Program Files\rempl\sedlauncher.exe" diff --git a/detections/deprecated/prohibited_software_on_endpoint.yml b/detections/deprecated/prohibited_software_on_endpoint.yml index af67f02a67..2abbefd503 100644 --- a/detections/deprecated/prohibited_software_on_endpoint.yml +++ b/detections/deprecated/prohibited_software_on_endpoint.yml @@ -1,52 +1,48 @@ name: Prohibited Software On Endpoint id: a51bfe1a-94f0-48cc-b4e4-b6ae50145893 version: 2 -date: "2019-10-11" +date: '2019-10-11' author: David Dorsey, Splunk status: deprecated type: Hunting -description: - This search looks for applications on the endpoint that you have marked +description: This search looks for applications on the endpoint that you have marked as prohibited. data_source: - - Sysmon Event ID 1 -search: - "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) +- Sysmon Event ID 1 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` - | `prohibited_processes` | `prohibited_software_on_endpoint_filter`" -how_to_implement: - To successfully implement this search, you must be ingesting data - that records process activity from your hosts to populate the endpoint data model - in the processes node. This is typically populated via endpoint detection-and-response - product, such as Carbon Black or endpoint data sources, such as Sysmon. The data - used for this search is usually generated via logs that report process tracking - in your Windows audit settings. In addition, you must also have only the `process_name` - (not the entire process path) marked as "prohibited" in the Enterprise Security - `interesting processes` table. To include the process names marked as "prohibited", - which is included with ES Content Updates, run the included search Add Prohibited - Processes to Enterprise Security. + | `prohibited_processes` | `prohibited_software_on_endpoint_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified references: [] tags: analytic_story: - - Monitor for Unauthorized Software - - "Emotet Malware DHS Report TA18-201A " - - SamSam Ransomware + - Monitor for Unauthorized Software + - 'Emotet Malware DHS Report TA18-201A ' + - SamSam Ransomware asset_type: Endpoint confidence: 50 impact: 50 message: tbd observable: - - name: field - type: Unknown - role: - - Unknown + - name: field + type: Unknown + role: + - Unknown product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _times + - _times risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml index 7b6faf5103..29d166c627 100644 --- a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml +++ b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml @@ -15,11 +15,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.process="*REG_DWORD*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = "(/d\s+2)" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None at the moment references: [] tags: diff --git a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml index df4b629fa3..3c511d4da3 100644 --- a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml +++ b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime "*delete*") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: No known false positives references: [] tags: diff --git a/detections/deprecated/suspicious_changes_to_file_associations.yml b/detections/deprecated/suspicious_changes_to_file_associations.yml index 54923985ef..ade4a24926 100644 --- a/detections/deprecated/suspicious_changes_to_file_associations.yml +++ b/detections/deprecated/suspicious_changes_to_file_associations.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\Explorer\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` ' -how_to_implement: To successfully implement this search you need to be ingesting information - on registry changes that include the name of the process responsible for the changes - from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` - nodes. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions. diff --git a/detections/deprecated/suspicious_powershell_command_line_arguments.yml b/detections/deprecated/suspicious_powershell_command_line_arguments.yml index 87068b1d4e..5a791c4a41 100644 --- a/detections/deprecated/suspicious_powershell_command_line_arguments.yml +++ b/detections/deprecated/suspicious_powershell_command_line_arguments.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate process can have this combination of command-line options, but it's not common. references: [] diff --git a/detections/deprecated/suspicious_rundll32_rename.yml b/detections/deprecated/suspicious_rundll32_rename.yml index a6bd52acfc..6abf25019f 100644 --- a/detections/deprecated/suspicious_rundll32_rename.yml +++ b/detections/deprecated/suspicious_rundll32_rename.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. references: diff --git a/detections/deprecated/uncommon_processes_on_endpoint.yml b/detections/deprecated/uncommon_processes_on_endpoint.yml index e788b4d77b..e24e18fe44 100644 --- a/detections/deprecated/uncommon_processes_on_endpoint.yml +++ b/detections/deprecated/uncommon_processes_on_endpoint.yml @@ -13,14 +13,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` ' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. This search uses a lookup file `uncommon_processes_default.csv` to track - various features of process names that are usually uncommon in most environments. - Please consider updating `uncommon_processes_local.csv` to hunt for processes that - are uncommon in your environment. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified references: [] tags: diff --git a/detections/deprecated/windows_connhost_exe_started_forcefully.yml b/detections/deprecated/windows_connhost_exe_started_forcefully.yml index 3a12cb6556..4eb62ad733 100644 --- a/detections/deprecated/windows_connhost_exe_started_forcefully.yml +++ b/detections/deprecated/windows_connhost_exe_started_forcefully.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime 0xffffffff *-ForceV1*" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter`' -how_to_implement: You must be ingesting data that records the process-system activity - from your hosts to populate the Endpoint Processes data-model object. If you are - using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which - you want to collect data. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This process should not be ran forcefully, we have not see any false positives for this detection references: [] diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml index 4df412bb04..51f1d261f5 100644 --- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml +++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml @@ -21,10 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed 7z.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://threadreaderapp.com/thread/1423361119926816776.html diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/endpoint/account_discovery_with_net_app.yml index de4b3c47d4..766304d018 100644 --- a/detections/endpoint/account_discovery_with_net_app.yml +++ b/detections/endpoint/account_discovery_with_net_app.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as OR Processes.process="*view /all*") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product.. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Admin or power user may used this series of command. references: - https://labs.vipre.com/trickbot-and-its-modules/ diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index cd9ae227df..b5e1b1a919 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_or_set_windows_defender_exclusion_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure - that this registry was included in your config files ex. sysmon config to be monitored. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Admin or user may choose to use this windows features. Filter as needed. references: diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml index b47cabc958..b2ae4824a1 100644 --- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml +++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network admin may modify this firewall feature that may cause this rule to be triggered. references: diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml index 13fc33529a..8e199753be 100644 --- a/detections/endpoint/allow_network_discovery_in_firewall.yml +++ b/detections/endpoint/allow_network_discovery_in_firewall.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network admin may modify this firewall feature that may cause this rule to be triggered. references: diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 3be0e282d8..c0fd2ad9bc 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -20,9 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. references: diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index c0ac9df75d..9a47b50a5a 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -14,15 +14,19 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* - by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `any_powershell_downloadfile_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index e20e75817d..9c73250231 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -14,14 +14,19 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by - Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml index 16b6f81910..385b25c0ea 100644 --- a/detections/endpoint/attacker_tools_on_endpoint.yml +++ b/detections/endpoint/attacker_tools_on_endpoint.yml @@ -5,7 +5,17 @@ date: '2021-11-04' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. +description: The following analytic aims to identify the use of tools commonly exploited + by cybercriminals. The use of these tools often signals nefarious activities like + unauthorized access, network scanning, or data exfiltration, representing a significant + threat to an organization's security infrastructure. By examining process activity + on the host, particularly those processes corresponding to known attacker tool names, + this analytic serves as an early warning system for potential security incidents. + However, its precision must be balanced with the understanding that some administrative + activities might also trigger alerts, resulting in false positives. This underlines + the importance of cyber analysts having a clear understanding of typical endpoint + activities and behaviors within their organization, enabling them to accurately + interpret and respond to these alerts. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -15,12 +25,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup attacker_tools attacker_tool_names AS process_name OUTPUT description | search description !=false| `attacker_tools_on_endpoint_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records process activity from your hosts to populate the endpoint data model - in the processes node. This is typically populated via endpoint detection-and-response - product, such as Carbon Black or endpoint data sources, such as Sysmon. The data - used for this search is usually generated via logs that report process tracking - in your Windows audit settings. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some administrator activity can be potentially triggered, please add those users to the filter macro. references: [] diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index d6ea16c6dc..b79950c531 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -5,19 +5,34 @@ date: '2021-09-16' author: Patrick Bareiss, Rico Valdez, Splunk status: production type: TTP -description: The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. +description: The following analytic is designed to detect potential security threats + involving the misuse of system trust. It works by detecting events where a process + attempts to add a certificate to the untrusted certificate store, an action often + associated with disabling security tools. The analytic uses Sysmon Event ID 1 data + source, particularly focusing on process activities and command-line arguments related + to 'certutil -addstore'. It's essential to ingest data that records process activity + and logs containing process names and command lines for its effective operation. + Be aware, sometimes administrators might legitimately perform this action. The analytic's + value lies in detecting isolated or unexpected instances, indicative of potential + malicious activities. Cybersecurity analysts should understand the importance of + trust mechanisms and their subversion in system security. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` - (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` - | `attempt_to_add_certificate_to_untrusted_store_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. + (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/attempt_to_stop_security_service.yml index faaddc8abf..570306820b 100644 --- a/detections/endpoint/attempt_to_stop_security_service.yml +++ b/detections/endpoint/attempt_to_stop_security_service.yml @@ -12,16 +12,20 @@ data_source: search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop - *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - |lookup security_services_lookup service as process OUTPUTNEW category, description - | search category=security | `attempt_to_stop_security_service_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` |lookup security_services_lookup service as + process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified. Attempts to disable security-related services should be identified and understood. references: diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml index e11227f8cc..e24606240d 100644 --- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml index d16951cad6..ed4cd4f9ab 100644 --- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml +++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml index 9f1c8b4d5d..b00ba015c9 100644 --- a/detections/endpoint/bcdedit_failure_recovery_modification.yml +++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml @@ -16,9 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter`' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints to populate the Endpoint - data model in the Processes node. Tune based on parent process names. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may modify the boot configuration. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-4---windows---disable-windows-recovery-console-repair diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml index 4ea33a71e6..4b4742789f 100644 --- a/detections/endpoint/bits_job_persistence.yml +++ b/detections/endpoint/bits_job_persistence.yml @@ -18,14 +18,18 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name - Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process. diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 9adebd11d9..e2684ea0b4 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -21,15 +21,19 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process - IN ("*transfer*", "*addfile*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name - Processes.original_file_name Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + IN ("*transfer*", "*addfile*") by Processes.dest Processes.user Processes.parent_process + Processes.parent_process_name Processes.original_file_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives, however it may be required to filter based on parent process name or network connection. references: diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 422da9cbf9..fd814d5235 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -17,14 +17,19 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user - Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id - Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.original_file_name Processes.parent_process_id | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `certutil_download_with_urlcache_and_split_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. references: diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index 33723ededb..f1e93aef98 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -17,14 +17,19 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user - Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + Processes.original_file_name Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `certutil_download_with_verifyctl_and_split_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. references: diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml index b7b8c30f59..6fd31fbb00 100644 --- a/detections/endpoint/certutil_exe_certificate_extraction.yml +++ b/detections/endpoint/certutil_exe_certificate_extraction.yml @@ -12,13 +12,19 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe - Processes.process = "*-exportPFX*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `certutil_exe_certificate_extraction_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. + Processes.process = "*-exportPFX*" by Processes.dest Processes.user Processes.parent_process + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services. diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index 2c15427702..428222b5b2 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -17,14 +17,19 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* - by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `certutil_with_decode_argument_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user. diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml index 0610d1bc1c..422606099d 100644 --- a/detections/endpoint/change_to_safe_mode_with_network_config.yml +++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process="*network*" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index 639afc2d6a..342a48cff1 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -12,14 +12,20 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com - Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name - Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id - Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed chcp.com may be used. + Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) + by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process + Processes.process_id Processes.parent_process_id Processes.dest Processes.user | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `chcp_command_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: other tools or script may used this to change code page to UTF-* or others references: diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index 6003188481..22b8d0be52 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime = "*12288*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: [] tags: diff --git a/detections/endpoint/child_processes_of_spoolsv_exe.yml b/detections/endpoint/child_processes_of_spoolsv_exe.yml index 07dbf99066..1f6d69d0a5 100644 --- a/detections/endpoint/child_processes_of_spoolsv_exe.yml +++ b/detections/endpoint/child_processes_of_spoolsv_exe.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` ' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints to populate the Endpoint - data model in the Processes node. The command-line arguments are mapped to the "process" - field in the Endpoint data model. Update the `children_of_spoolsv_filter` macro - to filter out legitimate child processes spawned by spoolsv.exe. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search. diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml index c56e5b6502..8df01ccb19 100644 --- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml +++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml @@ -16,9 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: administrator may execute this app to manage disk references: - https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/ diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml index 22aedf38f7..9db57201b0 100644 --- a/detections/endpoint/clop_common_exec_parameter.yml +++ b/detections/endpoint/clop_common_exec_parameter.yml @@ -14,14 +14,21 @@ description: The following analytics are designed to identifies some CLOP ransom since it is waiting for some parameter to execute properly. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name != "*temp.dat*" Processes.process = "*runrun*" OR Processes.process = "*temp.dat*" - by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name != "*temp.dat*" + Processes.process = "*runrun*" OR Processes.process = "*temp.dat*" by Processes.dest + Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Operators can execute third party tools using these parameters. references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 036a01fc20..ca7074bc1e 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be high based on legitimate scripted code in any environment. Filter as needed. references: diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml index a57fa1ab82..3d7f9059d2 100644 --- a/detections/endpoint/cmd_echo_pipe___escalation.yml +++ b/detections/endpoint/cmd_echo_pipe___escalation.yml @@ -14,14 +14,18 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user - Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. It is possible filtering may be required to ensure fidelity. references: diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml index 61fb949ee9..854710ecc2 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml @@ -27,11 +27,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed. diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 47eb6667f6..19fb921166 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: 3rd party tool may have commandline parameter that can trigger this detection. references: diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml index 658f160afb..4a7cf0e367 100644 --- a/detections/endpoint/control_loading_from_world_writable_directory.yml +++ b/detections/endpoint/control_loading_from_world_writable_directory.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `control_loading_from_world_writable_directory_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed. diff --git a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml index b17e92d725..68f8abd683 100644 --- a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml +++ b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.user) OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators often leverage net.exe to create admin accounts. references: [] tags: diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index 798036214c..5e26355b95 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -12,14 +12,18 @@ data_source: search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by - Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name + Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate. references: diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml index d84d1821ed..cdb2792e49 100644 --- a/detections/endpoint/creation_of_shadow_copy.yml +++ b/detections/endpoint/creation_of_shadow_copy.yml @@ -16,10 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints, to populate the Endpoint - data model in the Processes node. The command-line arguments are mapped to the "process" - field in the Endpoint data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate administrator usage of Vssadmin or Wmic will create false positives. references: diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index 5a87fb8dce..df6cee46b1 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -12,13 +12,18 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name - Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `creation_of_shadow_copy_with_wmic_and_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legtimate administrator usage of wmic to create a shadow copy. references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml index aa9ac38edb..47d4de5303 100644 --- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml @@ -14,13 +14,18 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name - Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + Processes.process_id Processes.parent_process_id Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `credential_dumping_via_copy_command_from_shadow_copy_filter` ' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml index 0d953b64fe..166cc109fc 100644 --- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml @@ -11,14 +11,18 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name - Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf diff --git a/detections/endpoint/csc_net_on_the_fly_compilation.yml b/detections/endpoint/csc_net_on_the_fly_compilation.yml index ad9b32bf2a..3c6c0f0ba5 100644 --- a/detections/endpoint/csc_net_on_the_fly_compilation.yml +++ b/detections/endpoint/csc_net_on_the_fly_compilation.yml @@ -22,11 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed. diff --git a/detections/endpoint/curl_download_and_bash_execution.yml b/detections/endpoint/curl_download_and_bash_execution.yml index a51e4b2fe4..40bfd9a650 100644 --- a/detections/endpoint/curl_download_and_bash_execution.yml +++ b/detections/endpoint/curl_download_and_bash_execution.yml @@ -16,12 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is - occurring correctly. If the EDR is not parsing the pipe bash in the command-line, - modifying the analytic will be required. Add parent process name (Processes.parent_process_name) - as needed to filter. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, however filtering may be required. references: diff --git a/detections/endpoint/deleting_of_net_users.yml b/detections/endpoint/deleting_of_net_users.yml index d4326f981c..7c073d2c57 100644 --- a/detections/endpoint/deleting_of_net_users.yml +++ b/detections/endpoint/deleting_of_net_users.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: System administrators or scripts may delete user accounts via this technique. Filter as needed. references: diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml index 5fb04d859f..807758110a 100644 --- a/detections/endpoint/deleting_shadow_copies.yml +++ b/detections/endpoint/deleting_shadow_copies.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter`' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints to populate the Endpoint - data model in the Processes node. The command-line arguments are mapped to the "process" - field in the Endpoint data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare. diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index 5211fd79f3..973764df08 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. references: - https://attack.mitre.org/software/S0521/ diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml index 59721aa1cb..c656157f4e 100644 --- a/detections/endpoint/detect_certify_command_line_arguments.yml +++ b/detections/endpoint/detect_certify_command_line_arguments.yml @@ -5,12 +5,30 @@ date: '2023-06-25' author: Steven Dick status: production type: TTP -description: The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. +description: The following analytic identifies when the attacker tool Certify or Certipy + are used to enumerate Active Directory Certificate Services (AD CS) environments. + The default command line arguments of these tools are similar and perform near identical + enumeration or exploitation functions. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("* find *","* auth *","* request *","* req *","* download *",) AND Processes.process IN ("* /vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*","* /ca*", "* -username *","* -u *") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_certify_command_line_arguments_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. -known_false_positives: Unknown +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("* find + *","* auth *","* request *","* req *","* download *",) AND Processes.process IN + ("* /vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*","* /ca*", "* + -username *","* -u *") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `detect_certify_command_line_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Unknown references: - https://github.com/GhostPack/Certify - https://github.com/ly4k/Certipy @@ -45,13 +63,13 @@ tags: - Splunk Cloud required_fields: - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id risk_score: 90 security_domain: endpoint tests: @@ -60,4 +78,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml index f8ebcc46ba..27efe7de4c 100644 --- a/detections/endpoint/detect_html_help_renamed.yml +++ b/detections/endpoint/detect_html_help_renamed.yml @@ -24,11 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed. references: diff --git a/detections/endpoint/detect_html_help_spawn_child_process.yml b/detections/endpoint/detect_html_help_spawn_child_process.yml index 2c7cb7daa6..d532a32bb5 100644 --- a/detections/endpoint/detect_html_help_spawn_child_process.yml +++ b/detections/endpoint/detect_html_help_spawn_child_process.yml @@ -23,9 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed. references: diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index c6a5efecb7..c9e94504c8 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -24,11 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed. references: diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml index 066b0a8890..7a6643b2dc 100644 --- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml +++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml @@ -26,11 +26,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed. references: diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 044c8605a8..f264b2c5f1 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. references: diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml index 07063fe7a6..29581ca7de 100644 --- a/detections/endpoint/detect_mshta_renamed.yml +++ b/detections/endpoint/detect_mshta_renamed.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive. references: diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index 235773c65a..f26be6a2b2 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces OR Processes.process="*https://*") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is possible legitimate applications may perform this behavior and will need to be filtered. references: diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml index adf662dc58..cc80b77ce0 100644 --- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml +++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae diff --git a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml index 09350bf9c2..ba21845195 100644 --- a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml +++ b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml @@ -17,12 +17,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`' -how_to_implement: You must be ingesting data that records registry activity from your - hosts to populate the Endpoint data model in the processes node. This is typically - populated via endpoint detection-and-response product, such as Carbon Black, or - endpoint data sources, such as Sysmon. The data used for this search is usually - generated via logs that report reads and writes to the registry or that are populated - via Windows event logs, after enabling process tracking in your Windows audit settings. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives. diff --git a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml index 0cba0683b4..db557ac2ae 100644 --- a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml +++ b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml @@ -14,15 +14,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts and populates the Endpoint data model with the resultant dataset. This search - includes a lookup file, `prohibited_apps_launching_cmd.csv`, that contains a list - of processes that should not be spawning cmd.exe. You can modify this lookup to - better suit your environment. To successfully implement this search you need to - be ingesting information on process that include the name of the process responsible - for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` - node. In addition, confirm the latest CIM App 4.20 or higher is installed and the - latest TA for the endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate. diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index 79b2c07045..5c16489425 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index 34ff3a3330..8a64f7f8d3 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -16,15 +16,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.dest) as process | `filter_rare_process_allow_list` | sort count | head 30 | rex field=user "(?.*)\\\\(?.*)" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter` ' -how_to_implement: To successfully implement this search, you must be ingesting data - that records process activity from your hosts and populating the `Endpoint` data - model with the resultant dataset. The macro `filter_rare_process_allow_list` searches - two lookup files for allowed processes. These consist of `rare_process_allow_list_default.csv` - and `rare_process_allow_list_local.csv`. To add your own processes to the allow - list, add them to `rare_process_allow_list_local.csv`. If you wish to remove an - entry from the default lookup file, you will have to modify the macro itself to - set the allow_list value for that process to false. You can modify the limit parameter - and search scheduling to better suit your environment. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legitimate processes may be only rarely executed in your environment. As these are identified, update `rare_process_allow_list_local.csv` to filter them out of your search results. diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index 026f7e1413..23076d2732 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed. references: diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index 657a20b14a..c1a8b3abac 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -20,9 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index bb713095e1..6cd0ea7e1c 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regasm\.exe.{0,4}$)" | `detect_regasm_with_no_command_line_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml index 67d265cadf..47f6d8a993 100644 --- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml +++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml @@ -20,9 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index 19e5f57e14..d41df52b4c 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regsvcs\.exe.{0,4}$)"| `detect_regsvcs_with_no_command_line_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index 471969d537..afb82b9c0e 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -23,11 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives related to third party software registering .DLL's. references: diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml index 9de0887294..aeec9d0b29 100644 --- a/detections/endpoint/detect_renamed_7_zip.yml +++ b/detections/endpoint/detect_renamed_7_zip.yml @@ -19,9 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used. references: diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index 2c3fcf91b7..e8d41a4c40 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed. references: diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index 0b05304e75..95387c2829 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index 2be889807a..8f264d7a38 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. It is possible third party applications use renamed instances of WinRAR. references: diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml index 2975dade93..ca750a4909 100644 --- a/detections/endpoint/detect_rtlo_in_process.yml +++ b/detections/endpoint/detect_rtlo_in_process.yml @@ -5,31 +5,33 @@ date: '2023-04-26' author: Steven Dick status: production type: TTP -description: This search is used to detect the abuse of the right-to-left override (RTLO or RLO) - character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or - file name to make it appear benign. The RTLO character is a non-printing Unicode - character that causes the text that follows it to be displayed in reverse. +description: This search is used to detect the abuse of the right-to-left override + (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to + disguise a string and/or file name to make it appear benign. The RTLO character + is a non-printing Unicode character that causes the text that follows it to be displayed + in reverse. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from -datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest -Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name -Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `drop_dm_object_name(Processes)` -| regex process="\\x{202E}" -| rex field=process "(?.+)(?\\x{202E})(?.+)" -| eval process_with_RTLO=process -| eval process=RTLO_command_1.RTLO_command_2 -| fields - RTLO* -| `detect_rtlo_in_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that includes the full command line of the process being launched on - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: Implementation in regions that use right to left in native language. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND + Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name + Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex + process="\\x{202E}" | rex field=process "(?.+)(?\\x{202E})(?.+)" + | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | + fields - RTLO* | `detect_rtlo_in_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Implementation in regions that use right to left in native + language. references: - https://attack.mitre.org/techniques/T1036/002/ - https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index bf91213573..45fcaea433 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -22,11 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive. references: diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index 03173dcee0..e10210cdbb 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -22,9 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use setupapi triggering a false positive. references: diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index e5cb9ec0b1..f96ae3754e 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -22,11 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive. references: diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index 1d4eef6352..4934ee1e77 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. references: diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml index 39c1bfb4b6..ccc4e8c8ed 100644 --- a/detections/endpoint/detect_sharphound_command_line_arguments.yml +++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed. references: diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml index 2e49a39067..f047c01262 100644 --- a/detections/endpoint/detect_sharphound_usage.yml +++ b/detections/endpoint/detect_sharphound_usage.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed. references: diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index 0f04adb212..3b71633340 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -1,71 +1,43 @@ name: Detect suspicious processnames using pretrained model in DSDL id: a15f8977-ad7d-4669-92ef-b59b97219bf5 version: 1 -date: "2023-01-23" +date: '2023-01-23' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly status: experimental data_source: - Sysmon Event Code 1 -description: The following analytic uses a pre-trained Deep Learning model to - predict whether a processname is suspicious or not. Malwares and malicious - programs such as ransomware often use tactics, techniques, and procedures - (TTPs) such as copying malicious files to the local machine to propagate - themselves across the network. A key indicator of compromise is that after - a successful execution of the malware, it copies itself as an executable file - with a randomly generated filename and places this file in one of the - directories. Such techniques are seen in several malwares such as TrickBot. - We develop machine learning model that uses a Recurrent Neural Network (RNN) - to distinguish between malicious and benign processnames. The model is trained - independently and is then made available for download. We use a character level - RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, +description: The following analytic uses a pre-trained Deep Learning model to predict + whether a processname is suspicious or not. Malwares and malicious programs such + as ransomware often use tactics, techniques, and procedures (TTPs) such as copying + malicious files to the local machine to propagate themselves across the network. + A key indicator of compromise is that after a successful execution of the malware, + it copies itself as an executable file with a randomly generated filename and places + this file in one of the directories. Such techniques are seen in several malwares + such as TrickBot. We develop machine learning model that uses a Recurrent Neural + Network (RNN) to distinguish between malicious and benign processnames. The model + is trained independently and is then made available for download. We use a character + level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime - max(_time) as lastTime from datamodel=Endpoint.Processes - by Processes.process_name Processes.parent_process_name Processes.process - Processes.user Processes.dest - | `drop_dm_object_name(Processes)` - | rename process_name as text - | fields text, parent_process_name, process, user, dest - | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl - | rename predicted_label as is_suspicious_score - | rename text as process_name - | where is_suspicious_score > 0.5 - | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`' - -how_to_implement: 'Steps to deploy detect suspicious processnames model into Splunk App - DSDL. This detection depends on the Splunk app for Data Science and Deep - Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` - and the Endpoint datamodel. The detection uses a pre-trained - deep learning model that needs to be deployed in the DSDL app. Follow the steps - for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\ - - * Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz`.\ - - * Download the `detect_suspicious_processnames_using_pretrained_model_in_dsdl.ipynb` - Jupyter notebook from the link - `https://github.com/splunk/security_content/notebooks`.\ - - * Login to the Jupyter Lab assigned for `detect_suspicious_processnames_using_pretrained_model_in_dsdl` - container. This container should be listed on Containers page for DSDL app.\ - - * Follow the steps below inside Jupyter Notebook:\ - - * Upload the `detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz` file - into `app/model/data/detect_suspicious_processnames_using_pretrained_model_in_dsdl/` path using the upload option in the Jupyter Notebook.\ - - * Untar the artifact `detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz` using - `tar -xf app/model/data/detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz -C app/model/data/detect_suspicious_processnames_using_pretrained_model_in_dsdl/`.\ - - * Upload `detect_suspicious_processnames_using_pretrained_model_in_dsdl.ipynb` into the Jupyter Notebooks - folder using the upload option in Jupyter Notebook.\ - - * Save the notebook using the save option in Jupyter Notebook.\ - - * Upload `detect_suspicious_processnames_using_pretrained_model_in_dsdl.json` into `notebooks/data` - folder.' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name + Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` + | rename process_name as text | fields text, parent_process_name, process, user, + dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename + predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score + > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present if a suspicious processname - is similar to a benign processname. + is similar to a benign processname. references: - https://www.cisa.gov/uscert/ncas/alerts/aa20-302a - https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html @@ -78,19 +50,19 @@ tags: - Source:Endpoint - Stage:Execution impact: 50 - message: The process $process$ is running from an unusual place by $user$ on $dest$ with a processname - that appears to be randomly generated. + message: The process $process$ is running from an unusual place by $user$ on $dest$ + with a processname that appears to be randomly generated. mitre_attack_id: - T1059 observable: - name: dest type: Hostname role: - - Victim + - Victim - name: user type: User role: - - Victim + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml index 201b37b039..d0c2b437a4 100644 --- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml +++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records process activity from your hosts to populate the endpoint data model - in the processes node. If you are using Sysmon, you must have at least version 6.0.4 - of the Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legitimate applications may exhibit this behavior. references: [] tags: diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/endpoint/detect_webshell_exploit_behavior.yml index 216d7dc674..67398cc24f 100644 --- a/detections/endpoint/detect_webshell_exploit_behavior.yml +++ b/detections/endpoint/detect_webshell_exploit_behavior.yml @@ -24,11 +24,15 @@ search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_webshell_exploit_behavior_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that includes the full command line of the process being launched on - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name references: diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml index 41b56e2cd4..2d9084ca19 100644 --- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml +++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml @@ -15,10 +15,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) values(Proce /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints to populate the Endpoint - data model in the Processes node. The command-line arguments are mapped to the "process" - field in the Endpoint data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose. references: [] diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml index 2e02dc9d26..b3b7ca577a 100644 --- a/detections/endpoint/disable_defender_enhanced_notification.yml +++ b/detections/endpoint/disable_defender_enhanced_notification.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical - Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: user may choose to disable windows defender AV references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 2f14777a30..b6aa0810ae 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -16,10 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network operator may disable audit event logs for debugging purposes. references: diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index 1b73052a81..14b1359670 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTim Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: admin may disable problematic schedule task references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml index 01676b435f..7fd3ee003d 100644 --- a/detections/endpoint/disabling_firewall_with_netsh.yml +++ b/detections/endpoint/disabling_firewall_with_netsh.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: admin may disable firewall during testing or fixing network problem. references: diff --git a/detections/endpoint/disabling_net_user_account.yml b/detections/endpoint/disabling_net_user_account.yml index 142b35ef4b..7fd0fa6506 100644 --- a/detections/endpoint/disabling_net_user_account.yml +++ b/detections/endpoint/disabling_net_user_account.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ diff --git a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml index f7b9ac7ee7..7eed05426f 100644 --- a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml +++ b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml @@ -7,37 +7,41 @@ status: production type: TTP data_source: - Sysmon Event ID 13 -description: This detection looks for the deletion of registry keys which disable LSA protection and MS Defender Device Guard. +description: This detection looks for the deletion of registry keys which disable + LSA protection and MS Defender Device Guard. search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LsaCfgFlags", "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\*", "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path - Registry.process_guid - | `drop_dm_object_name(Registry)` - | join type=outer process_guid [| tstats `security_content_summariesonly` count - FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process - Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid - | `drop_dm_object_name(Processes)`] + Registry.process_guid | `drop_dm_object_name(Registry)` | join type=outer process_guid + [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records registry activity from your hosts to populate the endpoint data model - in the registry node. This is typically populated via endpoint detection-and-response - product, such as Carbon Black or endpoint data sources, such as Sysmon. The data - used for this search is typically generated via logs that report reads and writes - to the registry. -known_false_positives: Potential to be triggered by an administrator disabling protections for troubleshooting purposes. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Potential to be triggered by an administrator disabling protections + for troubleshooting purposes. references: - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage tags: analytic_story: - Windows Defence Evasion Tactics - - Windows Registry Abuse + - Windows Registry Abuse asset_type: Endpoint confidence: 100 impact: 60 - message: An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$. + message: An attempt to disable Windows LSA defences was detected on $dest$. The + reg key $registry_path$ was deleted by $user$. mitre_attack_id: - T1556 observable: @@ -66,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml index d40cf5bd4c..9e1ab31356 100644 --- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml @@ -23,9 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive. references: diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index 2064dbeebc..f918a92cc4 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -21,10 +21,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as OR Processes.process="*-retry=*" by Processes.dest Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of nslookup.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: admin nslookup usage references: - https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml index 38f07b957c..8a309adb75 100644 --- a/detections/endpoint/domain_account_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/endpoint/domain_account_discovery_with_net_app.yml index 03f5d9e2de..8b29a3c400 100644 --- a/detections/endpoint/domain_account_discovery_with_net_app.yml +++ b/detections/endpoint/domain_account_discovery_with_net_app.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance diff --git a/detections/endpoint/domain_account_discovery_with_wmic.yml b/detections/endpoint/domain_account_discovery_with_wmic.yml index d258779b26..7cb16fff50 100644 --- a/detections/endpoint/domain_account_discovery_with_wmic.yml +++ b/detections/endpoint/domain_account_discovery_with_wmic.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/002/ diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index 6cb1fb7a0b..b63df5d031 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ diff --git a/detections/endpoint/domain_controller_discovery_with_wmic.yml b/detections/endpoint/domain_controller_discovery_with_wmic.yml index 6fcba1e9ba..e28809b010 100644 --- a/detections/endpoint/domain_controller_discovery_with_wmic.yml +++ b/detections/endpoint/domain_controller_discovery_with_wmic.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml index 1ce905ae53..7e92e8b7ed 100644 --- a/detections/endpoint/domain_group_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml index b7ac8da53b..ef8878fd95 100644 --- a/detections/endpoint/domain_group_discovery_with_net.yml +++ b/detections/endpoint/domain_group_discovery_with_net.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ diff --git a/detections/endpoint/domain_group_discovery_with_wmic.yml b/detections/endpoint/domain_group_discovery_with_wmic.yml index 5a9aa655f3..02623f44af 100644 --- a/detections/endpoint/domain_group_discovery_with_wmic.yml +++ b/detections/endpoint/domain_group_discovery_with_wmic.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index 8166c5018d..29b7843f6e 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -34,9 +34,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives. If there is a true false positive, filter based on command-line or parent process. references: diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index 0dffb958bd..56208ebe20 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -5,7 +5,28 @@ date: '2023-04-14' author: Patrick Bareiss, Splunk status: production type: TTP -description: 'The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization''s assets and prevent potential breaches.' +description: The following analytic detects the behavior of dumping credentials from + memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation + of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages + system-level authentication. Threat actors can use the comsvcs.dll to exploit this + process and obtain valuable credentials. The analytic identifies instances where + the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating + potential LSASS dumping attempts. This tactic is often part of more extensive attack + campaigns and is associated with numerous threat groups. Identifying this behavior + is crucial for security operations center (SOC) analysts, as credential theft can + lead to broader system compromise, persistence, lateral movement, and escalated + privileges. It is important to note that no legitimate use of this technique has + been identified so far. The impact of the attack, if a true positive is found, can + be severe. Attackers can use the stolen credentials to access sensitive information + or systems, leading to data theft, ransomware attacks, or other damaging outcomes. + To implement this analytic, ensure that logs with process information are ingested + from your endpoints. However, be aware of potential false positives, as legitimate + uses of the LSASS process may cause benign activities to be flagged. Upon triage, + review the processes involved in the LSASS dumping attempt, capture and inspect + any relevant on-disk artifacts, and look for concurrent processes to identify the + attack source. By identifying and mitigating LSASS exploitation attempts early on, + SOC analysts can better protect their organization's assets and prevent potential + breaches. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -13,11 +34,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified. references: - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index 45cf26107c..03709c372e 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -22,11 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified. references: - https://attack.mitre.org/techniques/T1003/001/ diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/elevated_group_discovery_with_net.yml index 285bcae103..4905358c4a 100644 --- a/detections/endpoint/elevated_group_discovery_with_net.yml +++ b/detections/endpoint/elevated_group_discovery_with_net.yml @@ -22,9 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml index 0d9ff3327c..0dba6e1440 100644 --- a/detections/endpoint/elevated_group_discovery_with_wmic.yml +++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml @@ -20,9 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Admins*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ diff --git a/detections/endpoint/esentutl_sam_copy.yml b/detections/endpoint/esentutl_sam_copy.yml index 6e76b3e66e..864c00bff3 100644 --- a/detections/endpoint/esentutl_sam_copy.yml +++ b/detections/endpoint/esentutl_sam_copy.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited. Filter as needed. references: - https://github.com/redcanaryco/atomic-red-team/blob/6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700/atomics/T1003.002/T1003.002.md diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index 331a058229..7f514ea215 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical - Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some false positives may be present and will need to be filtered. references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/endpoint/excel_spawning_powershell.yml index 8bf0526a88..36dbb0bf57 100644 --- a/detections/endpoint/excel_spawning_powershell.yml +++ b/detections/endpoint/excel_spawning_powershell.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces Processes.process_name Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, but if any are present, filter as needed. references: diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/endpoint/excel_spawning_windows_script_host.yml index 6da420a2fd..59a2924958 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/endpoint/excel_spawning_windows_script_host.yml @@ -23,9 +23,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces "wscript.exe") by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices. diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml index 80a0749ef2..b38b0beefb 100644 --- a/detections/endpoint/excessive_attempt_to_disable_services.yml +++ b/detections/endpoint/excessive_attempt_to_disable_services.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed sc.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml index 7d0a8f8f57..b64cf95b05 100644 --- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml +++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as = "*\\Windows\\Temp\\*" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the full process path in the process field of CIM's Process data model. - If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. - Tune and filter known instances where renamed sc.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Many benign applications will create processes from executables in Windows\Temp, although unlikely to exceed the given threshold. Filter as needed. references: diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml index 64e3242c67..90938507c7 100644 --- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml +++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` distinct_count(Processes.proc Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must be ingesting - logs with both the process name and command line from your endpoints. The complete - process name with command-line arguments are mapped to the "process" field in the - Endpoint data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml index 1cb4236fea..8cf40e3bb8 100644 --- a/detections/endpoint/excessive_number_of_taskhost_processes.yml +++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml @@ -23,9 +23,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process_id) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 and taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`' -how_to_implement: To successfully implement this search you need to be ingesting events - related to processes on the endpoints that include the name of the process and process - id into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed. references: diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/excessive_service_stop_attempt.yml index 4a7d29a7c2..6e745e0744 100644 --- a/detections/endpoint/excessive_service_stop_attempt.yml +++ b/detections/endpoint/excessive_service_stop_attempt.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index ef59d6ecdc..f36b8c501c 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as OR Processes.process_name = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or administrative scripts may use this application. Filter as needed. references: diff --git a/detections/endpoint/excessive_usage_of_net_app.yml b/detections/endpoint/excessive_usage_of_net_app.yml index 83246f8a75..66b965166a 100644 --- a/detections/endpoint/excessive_usage_of_net_app.yml +++ b/detections/endpoint/excessive_usage_of_net_app.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown. Filter as needed. Modify the time span as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index 73937a219d..8b25eaaaa0 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -16,10 +16,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml index 400f1f8f98..c83edb1db1 100644 --- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml +++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the Filesystem responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml index aebaf09f9d..81f7337848 100644 --- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml +++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime "*.xlsx.exe", "*.pptx.exe","*.one.exe", "*.bat.exe", "*rtf.exe") by Processes.dest Processes.user Processes.process Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records process activity from your hosts to populate the endpoint data model - in the processes node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat diff --git a/detections/endpoint/extraction_of_registry_hives.yml b/detections/endpoint/extraction_of_registry_hives.yml index 63bfd73dd4..7994fed1da 100644 --- a/detections/endpoint/extraction_of_registry_hives.yml +++ b/detections/endpoint/extraction_of_registry_hives.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is possible some agent based products will generate false positives. Filter as needed. references: diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index 41cb565451..f0751603bd 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. diff --git a/detections/endpoint/first_time_seen_child_process_of_zoom.yml b/detections/endpoint/first_time_seen_child_process_of_zoom.yml index 599381eae8..da73cf3f74 100644 --- a/detections/endpoint/first_time_seen_child_process_of_zoom.yml +++ b/detections/endpoint/first_time_seen_child_process_of_zoom.yml @@ -19,14 +19,15 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime value OR firstTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_window`") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You should run - the baseline search `Previously Seen Zoom Child Processes - Initial` to build the - initial table of child processes and hostnames for this search to work. You should - also schedule at the same interval as this search the second baseline search `Previously - Seen Zoom Child Processes - Update` to keep this table up to date and to age out - old child processes. Please update the `previously_seen_zoom_child_processes_window` - macro to adjust the time window. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken. diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 9d17855860..9ad97b0477 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -26,9 +26,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited to no false positives are expected. references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml index c65ada0d25..9289231b8f 100644 --- a/detections/endpoint/fsutil_zeroing_file.yml +++ b/detections/endpoint/fsutil_zeroing_file.yml @@ -16,10 +16,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces Processes.process="*setzerodata*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/ diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml index 5a6e180ba4..a2fdcb0738 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet diff --git a/detections/endpoint/get_aduser_with_powershell.yml b/detections/endpoint/get_aduser_with_powershell.yml index c1be54e364..92f51322ac 100644 --- a/detections/endpoint/get_aduser_with_powershell.yml +++ b/detections/endpoint/get_aduser_with_powershell.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://www.blackhillsinfosec.com/red-blue-purple/ diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml index 74f6ad4815..7d6f1b3828 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml index 06ad12c543..8fc15c97a0 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml index a3199925af..1202de2603 100644 --- a/detections/endpoint/get_domaintrust_with_powershell.yml +++ b/detections/endpoint/get_domaintrust_with_powershell.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. references: diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml index a69dcb0935..f183e8973a 100644 --- a/detections/endpoint/get_domainuser_with_powershell.yml +++ b/detections/endpoint/get_domainuser_with_powershell.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/ diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml index 1a1d8b30f6..cf6f0fc813 100644 --- a/detections/endpoint/get_foresttrust_with_powershell.yml +++ b/detections/endpoint/get_foresttrust_with_powershell.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. references: diff --git a/detections/endpoint/get_wmiobject_group_discovery.yml b/detections/endpoint/get_wmiobject_group_discovery.yml index c066ec4271..685c7f7327 100644 --- a/detections/endpoint/get_wmiobject_group_discovery.yml +++ b/detections/endpoint/get_wmiobject_group_discovery.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present. Tune as needed. references: - https://attack.mitre.org/techniques/T1069/001/ diff --git a/detections/endpoint/getadcomputer_with_powershell.yml b/detections/endpoint/getadcomputer_with_powershell.yml index 5c5ef96695..19043f9862 100644 --- a/detections/endpoint/getadcomputer_with_powershell.yml +++ b/detections/endpoint/getadcomputer_with_powershell.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ diff --git a/detections/endpoint/getadgroup_with_powershell.yml b/detections/endpoint/getadgroup_with_powershell.yml index 3c785a734a..a2f8fce43d 100644 --- a/detections/endpoint/getadgroup_with_powershell.yml +++ b/detections/endpoint/getadgroup_with_powershell.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ diff --git a/detections/endpoint/getcurrent_user_with_powershell.yml b/detections/endpoint/getcurrent_user_with_powershell.yml index 0df86d4dba..b6177b36ba 100644 --- a/detections/endpoint/getcurrent_user_with_powershell.yml +++ b/detections/endpoint/getcurrent_user_with_powershell.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml index 37c636c336..9f9f085fae 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use PowerView for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ diff --git a/detections/endpoint/getdomaincontroller_with_powershell.yml b/detections/endpoint/getdomaincontroller_with_powershell.yml index 77f2801400..2c17fb0097 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use PowerView for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml index c7cf9456c0..c4ae48b50e 100644 --- a/detections/endpoint/getdomaingroup_with_powershell.yml +++ b/detections/endpoint/getdomaingroup_with_powershell.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ diff --git a/detections/endpoint/getlocaluser_with_powershell.yml b/detections/endpoint/getlocaluser_with_powershell.yml index e3b5f91a89..6c1a849cbb 100644 --- a/detections/endpoint/getlocaluser_with_powershell.yml +++ b/detections/endpoint/getlocaluser_with_powershell.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: diff --git a/detections/endpoint/getnettcpconnection_with_powershell.yml b/detections/endpoint/getnettcpconnection_with_powershell.yml index d3c4024e38..fccd83abd9 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml index 61e4242607..e7186b0fbc 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml @@ -19,9 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml index b4cb319b6b..70fe7773dc 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml @@ -20,9 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml index 550807d3c0..fa35f83d20 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml @@ -21,10 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell.yml b/detections/endpoint/getwmiobject_user_account_with_powershell.yml index 20c3549176..94485d445d 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index ea56bc7f6d..8eb69f5cb0 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -23,9 +23,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives may be present in small environments. Tuning may be required based on parent process. references: diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index 731f2ddba4..6e84a7e296 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) values(Proce (Processes.process=*+h*) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `hiding_files_and_directories_with_attrib_exe_filter` ' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: 'Some applications and users may legitimately use attrib.exe to interact with the files. ' references: [] diff --git a/detections/endpoint/hunting_3cxdesktopapp_software.yml b/detections/endpoint/hunting_3cxdesktopapp_software.yml index f2f43b89bc..0eaa841b67 100644 --- a/detections/endpoint/hunting_3cxdesktopapp_software.yml +++ b/detections/endpoint/hunting_3cxdesktopapp_software.yml @@ -7,22 +7,36 @@ type: Hunting status: production data_source: - Sysmon Event ID 1 -description: The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. +description: The hunting analytic outlined below is designed to detect any version + of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac + or Windows systems. It is important to note that this particular analytic employs + the Endpoint datamodel Processes node, which means that the file version information + is not provided. Recently, 3CX has identified a vulnerability specifically in versions + 18.12.407 and 18.12.416 of the desktop app. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name="3CX Desktop App" - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name - Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe + OR Processes.process_name="3CX Desktop App" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: There may be false positives generated due to the reliance + on version numbers for identification purposes. Despite this limitation, the primary + goal of this approach is to aid in the detection of the software within the environment. references: - - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - - https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp - - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ - - https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898 - - https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/ +- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ +- https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp +- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ +- https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898 +- https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/ tags: analytic_story: - 3CX Supply Chain Attack @@ -51,11 +65,11 @@ tags: - _time - Processes.dest - Processes.user - - Processes.parent_process_name #parent process name - - Processes.parent_process #parent cmdline + - Processes.parent_process_name + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path @@ -67,4 +81,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index f6724acbd8..ce12b9cb77 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -5,24 +5,30 @@ date: '2023-06-06' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. - This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. - The purpose of this behavior is to actively evade detection and impede access to their associated files. - By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, - mitigating the impact of malicious activities on the system. +description: This analytic identifies instances where an adversary modifies the security + permissions of a particular file or directory. This technique is frequently observed + in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The + purpose of this behavior is to actively evade detection and impede access to their + associated files. By identifying these security permission changes, we can enhance + our ability to detect and respond to potential threats, mitigating the impact of + malicious activities on the system. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") - AND Processes.process IN ("*/deny*", "*/D*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `icacls_deny_command_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", + "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/deny*", "*/D*") by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `icacls_deny_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. It is possible some administrative scripts use ICacls. Filter as needed. references: diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index c69495075f..24762d6160 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -5,24 +5,31 @@ date: '2023-06-06' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. - This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. - The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. - By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, - thereby minimizing the impact of malicious activities on the system. +description: This analytic identifies adversaries who manipulate the security permissions + of specific files or directories by granting additional access. This technique is + frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and + coinminer scripts. The objective behind this behavior is to actively evade detection + mechanisms and tightly control access to their associated files. By identifying + these security permission modifications, we can improve our ability to identify + and respond to potential threats, thereby minimizing the impact of malicious activities + on the system. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") - AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `icacls_grant_command_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", + "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml index d1509ccfed..b10ea70ef9 100644 --- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -21,9 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml index a8cc6c1b7b..c484bc31f9 100644 --- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml @@ -26,11 +26,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime AND match(process, "(?i)\\__output") AND match(process, "(?i)C:\\\\Windows\\\\[a-zA-Z]{1,8}\\.bat") AND match(process, "\\\\127\.0\.0\.1\\.*") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml index 454dbc77b0..85498e3800 100644 --- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml @@ -23,11 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | where match(process, "(?i)cmd\.exe\s+\/Q\s+\/c") AND match(process, "\\\\127\.0\.0\.1\\.*") AND match(process, "__\\d{1,10}\\.\\d{1,10}") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml index 067a9e53fc..4185a144fd 100644 --- a/detections/endpoint/jscript_execution_using_cscript_app.yml +++ b/detections/endpoint/jscript_execution_using_cscript_app.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index ff3f911e64..f1272c01f2 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index d67a345562..cafffa0068 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -5,7 +5,20 @@ date: '2023-04-14' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. +description: The following analytic identifies suspicious modifications to cron jobs + on Linux systems using the crontab command with list parameters. This command line + parameter can be abused by malware like Industroyer2, as well as adversaries and + red teamers, to add a crontab entry for executing their malicious code on a schedule + of their choice. However, it's important to note that administrators or normal users + may also use this command for legitimate automation purposes, so filtering is required + to minimize false positives. Identifying the modification of cron jobs using list + parameters is valuable for a SOC as it indicates potential malicious activity or + an attempt to establish persistence on the system. If a true positive is detected, + further investigation should be conducted to analyze the added cron job, its associated + command, and the impact it may have on the system. This includes examining the purpose + of the job, reviewing any on-disk artifacts, and identifying any related processes + or activities occurring concurrently. The impact of a true positive can range from + unauthorized execution of malicious code to data destruction or other damaging outcomes. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -14,10 +27,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 5acd896323..6b7c502f7a 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/apt-get/ diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml index e0273a329c..ebe77ca992 100644 --- a/detections/endpoint/linux_apt_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_privilege_escalation.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/apt/ diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 860e22b911..5dcbd58a75 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -5,11 +5,29 @@ date: '2022-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\ +description: 'The following analytic detects the execution of the "At" application + in Linux, which can be used by attackers to create persistence entries on a compromised + host. The "At" application can be used for automation purposes by administrators + or network operators, so the filter macros should be updated to remove false positives. + If a true positive is found, it suggests an attacker is trying to maintain access + to the environment or potentially deliver additional malicious payloads, leading + to data theft, ransomware, or other damaging outcomes. To implement this analytic, + ensure you are ingesting logs with the required fields from your endpoints into + the Endpoint datamodel. When a true positive is detected, it suggests that an attacker + is attempting to establish persistence or deliver additional malicious payloads + by leveraging the "At" application. This behavior can lead to data theft, ransomware + attacks, or other damaging outcomes.\ - During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ + During triage, the SOC analyst should review the context surrounding the execution + of the "At" application. This includes identifying the user, the parent process + responsible for invoking the application, and the specific command-line arguments + used. It is important to consider whether the execution is expected behavior by + an administrator or network operator for legitimate automation purposes.\ - The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. + The presence of "At" application execution may indicate an attacker''s attempt to + maintain unauthorized access to the environment. Immediate investigation and response + are necessary to mitigate further risks, identify the attacker''s intentions, and + prevent potential harm to the organization.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes @@ -18,10 +36,15 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml index 016a6cb7a1..db5be8ea15 100644 --- a/detections/endpoint/linux_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_awk_privilege_escalation.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. references: diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml index b3f16f5612..0f1ac020cc 100644 --- a/detections/endpoint/linux_busybox_privilege_escalation.yml +++ b/detections/endpoint/linux_busybox_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/busybox/ diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml index b1339692e7..d8993916ce 100644 --- a/detections/endpoint/linux_c89_privilege_escalation.yml +++ b/detections/endpoint/linux_c89_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/c89/ diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml index dfb69c07ee..582ceab9e3 100644 --- a/detections/endpoint/linux_c99_privilege_escalation.yml +++ b/detections/endpoint/linux_c99_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/c99/ diff --git a/detections/endpoint/linux_change_file_owner_to_root.yml b/detections/endpoint/linux_change_file_owner_to_root.yml index 3c4651c0f0..4ff236afcb 100644 --- a/detections/endpoint/linux_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_change_file_owner_to_root.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_clipboard_data_copy.yml b/detections/endpoint/linux_clipboard_data_copy.yml index 8d5352bb3d..beee11a1c3 100644 --- a/detections/endpoint/linux_clipboard_data_copy.yml +++ b/detections/endpoint/linux_clipboard_data_copy.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. references: diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml index 2794658c8c..5dbc05670b 100644 --- a/detections/endpoint/linux_common_process_for_elevation_control.yml +++ b/detections/endpoint/linux_common_process_for_elevation_control.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml index 707581f208..212eabd753 100644 --- a/detections/endpoint/linux_composer_privilege_escalation.yml +++ b/detections/endpoint/linux_composer_privilege_escalation.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/composer/ diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml index 7f946ff8ef..bdb8b5fd9d 100644 --- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/cpulimit/ diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml index f97e2000a1..92fd5845b2 100644 --- a/detections/endpoint/linux_csvtool_privilege_escalation.yml +++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml @@ -16,10 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/csvtool/ diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index b107ccd8f8..81e0fa4e59 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -24,11 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there. diff --git a/detections/endpoint/linux_data_destruction_command.yml b/detections/endpoint/linux_data_destruction_command.yml index 187250dd13..5c26de4ae1 100644 --- a/detections/endpoint/linux_data_destruction_command.yml +++ b/detections/endpoint/linux_data_destruction_command.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://cert.gov.ua/article/3718487 diff --git a/detections/endpoint/linux_dd_file_overwrite.yml b/detections/endpoint/linux_dd_file_overwrite.yml index deaa7cba46..7d461a9387 100644 --- a/detections/endpoint/linux_dd_file_overwrite.yml +++ b/detections/endpoint/linux_dd_file_overwrite.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index 892d4d83c6..c5c0913a9c 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -15,11 +15,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present based on legitimate software being utilized. Filter as needed. references: diff --git a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml index a57e53a19f..6fdfe7bb52 100644 --- a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml +++ b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_disable_services.yml b/detections/endpoint/linux_disable_services.yml index 20bf9f5c6d..55bb168eeb 100644 --- a/detections/endpoint/linux_disable_services.yml +++ b/detections/endpoint/linux_disable_services.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_doas_tool_execution.yml b/detections/endpoint/linux_doas_tool_execution.yml index f263f327ff..dc83c6999d 100644 --- a/detections/endpoint/linux_doas_tool_execution.yml +++ b/detections/endpoint/linux_doas_tool_execution.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/endpoint/linux_docker_privilege_escalation.yml index f3245bb3e6..116d6c3826 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/endpoint/linux_docker_privilege_escalation.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. references: diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index a426c53022..5c512b87d7 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -5,13 +5,25 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\ +description: 'The following analytic detects the suspicious editing of cron jobs in + Linux via the crontab command-line parameter. This tactic could be used by adversaries + or malware to schedule execution of their malicious code, potentially leading to + system compromise or unauthorized persistent access. It pinpoints this activity + by monitoring command-line executions involving ''crontab'' and the edit parameter + (-e).\ - Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\ + Recognizing such activity is vital for a SOC as cron job manipulations might signal + unauthorized persistence attempts or scheduled malicious actions, potentially resulting + in substantial harm. A true positive signifies an active threat, with implications + ranging from unauthorized access to broader network compromise.\ - To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\ + To implement this analytic, logs capturing process name, parent process, and command-line + executions from your endpoints must be ingested.\ - Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.\ + Known false positives could stem from valid administrative tasks or automation processes + using crontab. To reduce these, fine-tune the filter macros according to the benign + activities within your environment. These adjustments ensure legitimate actions + aren''t mistaken for threats, allowing analysts to focus on genuine potential risks.\' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -20,10 +32,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml index 963a3f94e5..7def3206d2 100644 --- a/detections/endpoint/linux_emacs_privilege_escalation.yml +++ b/detections/endpoint/linux_emacs_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/emacs/ diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml index d61492540a..2c32cee058 100644 --- a/detections/endpoint/linux_find_privilege_escalation.yml +++ b/detections/endpoint/linux_find_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. references: diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml index b940431f7f..baf12b24ec 100644 --- a/detections/endpoint/linux_gdb_privilege_escalation.yml +++ b/detections/endpoint/linux_gdb_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/gdb/ diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml index f10fd858e7..c21647a002 100644 --- a/detections/endpoint/linux_gem_privilege_escalation.yml +++ b/detections/endpoint/linux_gem_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/gem/ diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml index 3053320692..e3e12d70ee 100644 --- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -21,10 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/gawk/ diff --git a/detections/endpoint/linux_hardware_addition_swapoff.yml b/detections/endpoint/linux_hardware_addition_swapoff.yml index 0fb0b9eb7f..ee77fb55c0 100644 --- a/detections/endpoint/linux_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_hardware_addition_swapoff.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: administrator may disable swapping of devices in a linux host. Filter is needed. references: diff --git a/detections/endpoint/linux_impair_defenses_process_kill.yml b/detections/endpoint/linux_impair_defenses_process_kill.yml index 87d6109b3e..7530857b1f 100644 --- a/detections/endpoint/linux_impair_defenses_process_kill.yml +++ b/detections/endpoint/linux_impair_defenses_process_kill.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network admin can terminate a process using this linux command. Filter is needed. references: diff --git a/detections/endpoint/linux_indicator_removal_clear_cache.yml b/detections/endpoint/linux_indicator_removal_clear_cache.yml index 44fb1bdb27..f31e64db3f 100644 --- a/detections/endpoint/linux_indicator_removal_clear_cache.yml +++ b/detections/endpoint/linux_indicator_removal_clear_cache.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ diff --git a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml index 05b1c5bd5f..4a99cb6e7e 100644 --- a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml +++ b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network admin can delete services unit configuration file as part of normal software installation. Filter is needed. references: diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml index 1ea4bfeee4..48fe8fba14 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be present. This query is meant to help tune other curl and wget analytics. references: diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml index fcd4f6300f..f337572bab 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process, "(?i)(-O|-sO|-ksO|--output)") | `linux_ingress_tool_transfer_with_curl_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be present. Tune and then change type to TTP. references: diff --git a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml index e9e5ba5b43..d5c18f3b12 100644 --- a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_insert_kernel_module_using_insmod_utility_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml index d1b1e111aa..47d00207fc 100644 --- a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index 0d654cad50..0b0d3847e1 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -26,10 +26,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed. references: diff --git a/detections/endpoint/linux_java_spawning_shell.yml b/detections/endpoint/linux_java_spawning_shell.yml index 607f672ed5..b0eca339aa 100644 --- a/detections/endpoint/linux_java_spawning_shell.yml +++ b/detections/endpoint/linux_java_spawning_shell.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is - occurring correctly. Ensure EDR product is mapping OS Linux to the datamodel properly. - Add any additional java process names for your environment to the analytic as needed. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type. references: diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml index d61ec44983..8278984606 100644 --- a/detections/endpoint/linux_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_kernel_module_enumeration.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kernel_module_enumeration_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. references: diff --git a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml index f67bcaf44f..f80f642295 100644 --- a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml +++ b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml index b6b5d1f638..0999b4b664 100644 --- a/detections/endpoint/linux_make_privilege_escalation.yml +++ b/detections/endpoint/linux_make_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/make/ diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml index 68efd4db49..dcae35901e 100644 --- a/detections/endpoint/linux_mysql_privilege_escalation.yml +++ b/detections/endpoint/linux_mysql_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. references: diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml index 6a2205773b..400625bee9 100644 --- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present if Ngrok is an authorized utility. Filter as needed. references: diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml index 800d9d88ec..53bd573330 100644 --- a/detections/endpoint/linux_node_privilege_escalation.yml +++ b/detections/endpoint/linux_node_privilege_escalation.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. references: diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 4ffad566fa..9b6dfa7797 100644 --- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index 3002f20059..49332decc7 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present and will require some tuning based on processes. Filter as needed. references: diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml index 6e57465cf2..16f7960fb5 100644 --- a/detections/endpoint/linux_octave_privilege_escalation.yml +++ b/detections/endpoint/linux_octave_privilege_escalation.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/octave/ diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml index 77cd3cb525..f959cda5d9 100644 --- a/detections/endpoint/linux_openvpn_privilege_escalation.yml +++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/openvpn/ diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml index b9947d1c00..b90ab3924a 100644 --- a/detections/endpoint/linux_php_privilege_escalation.yml +++ b/detections/endpoint/linux_php_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/php/ diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml index 49c8e1c81e..4d85720fea 100644 --- a/detections/endpoint/linux_pkexec_privilege_escalation.yml +++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml @@ -16,14 +16,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(^.{1}$)" | `linux_pkexec_privilege_escalation_filter`' -how_to_implement: Depending on the EDR product in use, there are multiple ways to - "null" the command-line field, Processes.process. Two that may be useful `process="(^.{0}$)"` - or `| where isnull(process)`. To generate data for this behavior, Sysmon for Linux - was utilized. To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://www.reddit.com/r/crowdstrike/comments/sdfeig/20220126_cool_query_friday_hunting_pwnkit_local/ diff --git a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml index a392f93461..87de975185 100644 --- a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml index 9d0619a57b..a69534ac14 100644 --- a/detections/endpoint/linux_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_possible_access_to_credential_files.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml index 0c0307a887..0d3823ec91 100644 --- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 2e3a0368bd..4cc2f24398 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -5,9 +5,16 @@ date: '2022-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ +description: 'The following analytic is designed to identify suspicious command lines + that may append user entries to either /etc/at.allow or /etc/at.deny. These files + can be exploited by malicious actors for persistence on a compromised Linux host + by altering permissions for scheduled tasks using the at command.\ - In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. + In this context, an attacker can create a user or add an existing user to these + configuration files to execute their malicious code through scheduled tasks. The + detection of such anomalous behavior can serve as an effective indicator warranting + further investigation to validate if the activity is indeed malicious or a false + positive.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes @@ -16,10 +23,15 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml index 74dbe3a880..4df883fe56 100644 --- a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml @@ -21,10 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 0df7fc5f30..206c016f04 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -5,11 +5,22 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\ +description: 'The following analytic is designed to detect potential tampering with + cronjob files on a Linux system. It specifically searches for command lines that + may be used to append code to existing cronjob files, a technique often employed + by adversaries, malware, and red teamers for persistence or privilege escalation. + Altering existing or sometimes normal cronjob script files allows malicious code + to be executed automatically.\ - The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ + The analytic operates by monitoring logs for specific process names, parent processes, + and command-line executions from your endpoints. It specifically checks for any + ''echo'' command which modifies files in directories commonly associated with cron + jobs such as ''/etc/cron*'', ''/var/spool/cron/'', and ''/etc/anacrontab''. If such + activity is detected, an alert is triggered.\ - This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. + This behavior is worth identifying for a SOC because malicious cron jobs can lead + to system compromises and unauthorized data access, impacting business operations + and data integrity.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes @@ -18,11 +29,18 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. -known_false_positives: False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may arise from legitimate actions by administrators + or network operators who may use these commands for automation purposes. Therefore, + it's recommended to adjust filter macros to eliminate such false positives. references: - https://attack.mitre.org/techniques/T1053/003/ - https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index 959cdb9076..341285302e 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -5,14 +5,27 @@ date: '2021-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ - The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\ +description: 'The following analytic detects potential unauthorized modifications + to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this + behavior by tracking command-line executions that interact with paths related to + cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated + by attackers for privilege escalation or persistent access, making such changes + critical to monitor.\ The identified behavior is significant for a Security Operations + Center (SOC) as it could indicate an ongoing attempt at establishing persistent + access or privilege escalation, leading to data breaches, system compromise, or + other malicious activities.\ - In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\ + In case of a true positive, the impact could be severe. An attacker with escalated + privileges or persistent access could carry out damaging actions, such as data theft, + sabotage, or further network penetration.\ - To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\ + To implement this analytic, ensure ingestion of logs tracking process name, parent + process, and command-line executions from your endpoints. Utilize the Add-on for + Linux Sysmon from Splunkbase if you''re using Sysmon.\ - Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. + Known false positives include legitimate administrative tasks, as these commands + may also be used for benign purposes. Careful tuning and filtering based on known + benign activity in your environment can minimize these instances.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -22,10 +35,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml index a9b0eac93c..bc081670e9 100644 --- a/detections/endpoint/linux_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_preload_hijack_library_calls.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml index b3381cf4ea..7ded4f6ea8 100644 --- a/detections/endpoint/linux_proxy_socks_curl.yml +++ b/detections/endpoint/linux_proxy_socks_curl.yml @@ -24,11 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present based on proxy usage internally. Filter as needed. references: diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml index 0d1b277e69..8a2cbc67ee 100644 --- a/detections/endpoint/linux_puppet_privilege_escalation.yml +++ b/detections/endpoint/linux_puppet_privilege_escalation.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/puppet/ diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml index 98fd5d7d5a..9e8b7d2bb8 100644 --- a/detections/endpoint/linux_rpm_privilege_escalation.yml +++ b/detections/endpoint/linux_rpm_privilege_escalation.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. references: diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml index 86e9573a31..6bc67a1f79 100644 --- a/detections/endpoint/linux_ruby_privilege_escalation.yml +++ b/detections/endpoint/linux_ruby_privilege_escalation.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. references: diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index b9f0b94f2a..b22b3cf217 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -5,11 +5,25 @@ date: '2023-04-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\ +description: 'The following analytic detects the restarting or re-enabling of services + in the Linux platform. It focuses on the use of the systemctl or service tools for + executing these actions. Adversaries may leverage this technique to repeatedly execute + malicious payloads as a form of persistence. Linux hosts typically start services + during boot to perform background system functions. However, administrators may + also create legitimate services for specific tools or applications as part of task + automation. In such cases, it is recommended to verify the service path of the registered + script or executable and identify the creator of the service for further validation.\ - It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ + It''s important to be aware that this analytic may generate false positives as administrators + or network operators may use the same command-line for legitimate automation purposes. + Filter macros should be updated accordingly to minimize false positives.\ - Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. + Identifying restarted or re-enabled services is valuable for a SOC as it can indicate + potential malicious activities attempting to maintain persistence or execute unauthorized + actions on Linux systems. By detecting and investigating these events, security + analysts can respond promptly to mitigate risks and prevent further compromise. + The impact of a true positive can range from unauthorized access to data destruction + or other damaging outcomes.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -19,10 +33,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and commandline executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index 6c02308a24..9dc4aff3bc 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -5,7 +5,16 @@ date: '2021-12-20' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. +description: The following analytic detects the creation or enabling of services in + Linux platforms, specifically using the systemctl or service tool application. This + behavior is worth identifying as adversaries may create or modify services to execute + malicious payloads as part of persistence. Legitimate services created by administrators + for automation purposes may also trigger this analytic, so it is important to update + the filter macros to remove false positives. If a true positive is found, it suggests + an possible attacker is attempting to persist within the environment or deliver + additional malicious payloads, leading to data theft, ransomware, or other damaging + outcomes. To implement this analytic, ensure you are ingesting logs with the process + name, parent process, and command-line executions from your endpoints. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -15,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_setuid_using_chmod_utility.yml b/detections/endpoint/linux_setuid_using_chmod_utility.yml index 08dae2f2d8..ce220faee8 100644 --- a/detections/endpoint/linux_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_setuid_using_chmod_utility.yml @@ -23,10 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_setuid_using_setcap_utility.yml b/detections/endpoint/linux_setuid_using_setcap_utility.yml index 367b8c9014..f8892ab7e2 100644 --- a/detections/endpoint/linux_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_setuid_using_setcap_utility.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_shred_overwrite_command.yml b/detections/endpoint/linux_shred_overwrite_command.yml index 70d6c63322..be1e796716 100644 --- a/detections/endpoint/linux_shred_overwrite_command.yml +++ b/detections/endpoint/linux_shred_overwrite_command.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml index 2f50dff9cf..df0bd543bf 100644 --- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the - Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/sqlite3/ diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml index 6f03caf8ee..21f284c034 100644 --- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Filtering will be required as system administrators will add and remove. One way to filter query is to add "echo". references: diff --git a/detections/endpoint/linux_ssh_remote_services_script_execute.yml b/detections/endpoint/linux_ssh_remote_services_script_execute.yml index 35352e2568..85fe7ad393 100644 --- a/detections/endpoint/linux_ssh_remote_services_script_execute.yml +++ b/detections/endpoint/linux_ssh_remote_services_script_execute.yml @@ -10,16 +10,21 @@ description: The following analytic identifies SSH being utilized to move latera data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN ("*oStrictHostKeyChecking*", "*oConnectTimeout*", "*oBatchMode*") AND Processes.process IN ("*http:*","*https:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `linux_ssh_remote_services_script_execute_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh + Processes.process IN ("*oStrictHostKeyChecking*", "*oConnectTimeout*", "*oBatchMode*") + AND Processes.process IN ("*http:*","*https:*") by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This is not a common command to be executed. Filter as needed. references: - https://redcanary.com/blog/lateral-movement-with-secure-shell/ diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml index 63f81e93d2..ed4a9c072b 100644 --- a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml +++ b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf diff --git a/detections/endpoint/linux_stop_services.yml b/detections/endpoint/linux_stop_services.yml index 5f6f7c3fe3..ef7d5cf552 100644 --- a/detections/endpoint/linux_stop_services.yml +++ b/detections/endpoint/linux_stop_services.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_sudo_or_su_execution.yml b/detections/endpoint/linux_sudo_or_su_execution.yml index 80de3d5ce2..52c5b98b2b 100644 --- a/detections/endpoint/linux_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_sudo_or_su_execution.yml @@ -21,10 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. If you are - using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index 7902c25557..9ea3279453 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_system_reboot_via_system_request_key.yml b/detections/endpoint/linux_system_reboot_via_system_request_key.yml index 79863b79b4..c1e7dd8e00 100644 --- a/detections/endpoint/linux_system_reboot_via_system_request_key.yml +++ b/detections/endpoint/linux_system_reboot_via_system_request_key.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html diff --git a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml index 8aa8c974c2..80328aa259 100644 --- a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml +++ b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html diff --git a/detections/endpoint/linux_visudo_utility_execution.yml b/detections/endpoint/linux_visudo_utility_execution.yml index 3bfe997a1a..4f19d7f2bc 100644 --- a/detections/endpoint/linux_visudo_utility_execution.yml +++ b/detections/endpoint/linux_visudo_utility_execution.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from - Splunkbase. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/local_account_discovery_with_net.yml b/detections/endpoint/local_account_discovery_with_net.yml index 3c8c5f122a..a087b61004 100644 --- a/detections/endpoint/local_account_discovery_with_net.yml +++ b/detections/endpoint/local_account_discovery_with_net.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ diff --git a/detections/endpoint/local_account_discovery_with_wmic.yml b/detections/endpoint/local_account_discovery_with_wmic.yml index dc05e0b7d6..db65a2142b 100644 --- a/detections/endpoint/local_account_discovery_with_wmic.yml +++ b/detections/endpoint/local_account_discovery_with_wmic.yml @@ -16,9 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ diff --git a/detections/endpoint/macos___re_opened_applications.yml b/detections/endpoint/macos___re_opened_applications.yml index ed37ea99ca..2e1f31fe7e 100644 --- a/detections/endpoint/macos___re_opened_applications.yml +++ b/detections/endpoint/macos___re_opened_applications.yml @@ -15,11 +15,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest process - data from your osquery deployed agents with the [splunk.conf](https://github.com/splunk/TA-osquery/blob/master/config/splunk.conf) - pack enabled. Also the [TA-OSquery](https://github.com/splunk/TA-osquery) must be - deployed across your indexers and universal forwarders in order to have the data - populate the Endpoint data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml index d4fc0fb9e9..904d1ff783 100644 --- a/detections/endpoint/malicious_inprocserver32_modification.yml +++ b/detections/endpoint/malicious_inprocserver32_modification.yml @@ -30,11 +30,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index aac0b4a334..e260077dd4 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -27,11 +27,15 @@ search: "| tstats `security_content_summariesonly` count min(_time) as firstTime \ Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`\ \ | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013\ |\u2014|\u2015]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\") | `malicious_powershell_process___encoded_command_filter`" -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: System administrators may use this option, but it's not common. references: - https://regexr.com/662ov diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 52222b5fef..6f27691472 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process_id) where `process_powershell` (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate. diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml index ec019553b4..55657bd84b 100644 --- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml +++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,"`"))-1) + (mvcount(split(process, "^"))-1) + (mvcount(split(process, "''"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: These characters might be legitimately on the command-line, but it is not common. references: [] diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml index fea008f71d..42fddb3d71 100644 --- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml +++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz. references: diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index 0cfbb343a1..d7f006f0e0 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -30,9 +30,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate applications may trigger this behavior, filter as needed. references: diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index f5c18a31af..a60dd5d8a6 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -21,10 +21,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as = "* SYSTEM:*" OR Processes.process = "* S-1-1-0:*") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed cacls.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: administrators may use this command. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml index 6218e7cbcf..40354a5462 100644 --- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml +++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as developers do not spawn MSBuild via a WSH. references: diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml index 7ad0efd2ef..b37510453b 100644 --- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml +++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: limitted. this anomaly behavior is not commonly seen in clean host. references: diff --git a/detections/endpoint/net_localgroup_discovery.yml b/detections/endpoint/net_localgroup_discovery.yml index 2c64bd8956..c609df4766 100644 --- a/detections/endpoint/net_localgroup_discovery.yml +++ b/detections/endpoint/net_localgroup_discovery.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present. Tune as needed. references: - https://attack.mitre.org/techniques/T1069/001/ diff --git a/detections/endpoint/network_connection_discovery_with_arp.yml b/detections/endpoint/network_connection_discovery_with_arp.yml index b1e441fbf8..08ff5694f6 100644 --- a/detections/endpoint/network_connection_discovery_with_arp.yml +++ b/detections/endpoint/network_connection_discovery_with_arp.yml @@ -16,9 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ diff --git a/detections/endpoint/network_connection_discovery_with_net.yml b/detections/endpoint/network_connection_discovery_with_net.yml index 781e1ce56e..bfa3c325b3 100644 --- a/detections/endpoint/network_connection_discovery_with_net.yml +++ b/detections/endpoint/network_connection_discovery_with_net.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index 7696de1c66..953f9d241a 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ diff --git a/detections/endpoint/network_discovery_using_route_windows_app.yml b/detections/endpoint/network_discovery_using_route_windows_app.yml index 4cfd7967e2..4220112e03 100644 --- a/detections/endpoint/network_discovery_using_route_windows_app.yml +++ b/detections/endpoint/network_discovery_using_route_windows_app.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed. diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml index de6fd0c2d6..5b2a2c75ce 100644 --- a/detections/endpoint/nishang_powershelltcponeline.yml +++ b/detections/endpoint/nishang_powershelltcponeline.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives may be present. Filter as needed based on initial analysis. references: diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml index 9e596e4973..5c1032886e 100644 --- a/detections/endpoint/nltest_domain_trust_discovery.yml +++ b/detections/endpoint/nltest_domain_trust_discovery.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may use nltest for troubleshooting purposes, otherwise, rarely used. references: diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml index 8ea3ddb036..832b1795fb 100644 --- a/detections/endpoint/notepad_with_no_command_line_arguments.yml +++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml @@ -7,16 +7,31 @@ type: TTP status: production data_source: - Sysmon Event ID 1 -description: The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. - From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | regex process="(?i)(notepad\.exe.{0,4}$)" +description: The following analytic identifies behavior related to default SliverC2 + framework where it will inject into Notepad.exe and spawn Notepad.exe with no command + line arguments. In testing, this is a common procedure for SliverC2 usage, however + may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly + commands spawn and inject into notepad.exe by default. The following query finds + process creation events where the same process creates and injects into notepad.exe + within 10 seconds." +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe + AND Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name + Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | regex process="(?i)(notepad\.exe.{0,4}$)" | `notepad_with_no_command_line_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be present and filtering may need to occur based on organization endpoint behavior. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and filtering may need to occur + based on organization endpoint behavior. references: - https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors#Purple-Team-Section @@ -26,7 +41,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ with no command line arguments. mitre_attack_id: - T1055 observable: @@ -50,11 +66,11 @@ tags: - _time - Processes.dest - Processes.user - - Processes.parent_process_name #parent process name - - Processes.parent_process #parent cmdline + - Processes.parent_process_name + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path @@ -66,4 +82,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml index 51f06bb2a1..89ed4f1088 100644 --- a/detections/endpoint/ntdsutil_export_ntds.yml +++ b/detections/endpoint/ntdsutil_export_ntds.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints, to populate the Endpoint - data model in the Processes node. The command-line arguments are mapped to the "process" - field in the Endpoint data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives. references: diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/endpoint/office_application_spawn_regsvr32_process.yml index 21befd15f6..ab38257c50 100644 --- a/detections/endpoint/office_application_spawn_regsvr32_process.yml +++ b/detections/endpoint/office_application_spawn_regsvr32_process.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_regsvr32_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.joesandbox.com/analysis/380662/0/html diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/endpoint/office_application_spawn_rundll32_process.yml index 60093ea33d..d4f83f7b4d 100644 --- a/detections/endpoint/office_application_spawn_rundll32_process.yml +++ b/detections/endpoint/office_application_spawn_rundll32_process.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_rundll32_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://any.run/malware-trends/trickbot diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml index f026ef5d30..b013a5aa71 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/office_document_spawned_child_process_to_download.yml @@ -13,17 +13,22 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") - Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", - "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances office application and browser may be - used. + IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", + "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name + IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.original_file_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `office_document_spawned_child_process_to_download_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Default browser not in the filter list. references: - https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/ diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index d9aaaf0f52..9e80c568bb 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -17,16 +17,20 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime = "winword.exe" OR Processes.parent_process_name= "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name= "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name - = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe" OR Processes.parent_process_name="Graph.exe" OR Processes.parent_process_name="winproj.exe") `process_cmd` - by Processes.parent_process Processes.process_name Processes.process Processes.process_id - Processes.process_guid Processes.user Processes.dest Processes.original_file_name - | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` - | `office_product_spawn_cmd_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe" OR Processes.parent_process_name="Graph.exe" + OR Processes.parent_process_name="winproj.exe") `process_cmd` by Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.process_guid + Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: IT or network admin may create an document automation that will run shell script. references: diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/endpoint/office_product_spawning_bitsadmin.yml index 4d7563ff48..34a2e6fb88 100644 --- a/detections/endpoint/office_product_spawning_bitsadmin.yml +++ b/detections/endpoint/office_product_spawning_bitsadmin.yml @@ -21,15 +21,19 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", - "msaccess.exe", "Graph.exe","winproj.exe") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + "msaccess.exe", "Graph.exe","winproj.exe") `process_bitsadmin` by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: No false positives known. Filter as needed. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/endpoint/office_product_spawning_certutil.yml index 55f13dc9ed..61639c3c59 100644 --- a/detections/endpoint/office_product_spawning_certutil.yml +++ b/detections/endpoint/office_product_spawning_certutil.yml @@ -19,16 +19,20 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") - `process_certutil` by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `office_product_spawning_certutil_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", + "Graph.exe","winproj.exe") `process_certutil` by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: No false positives known. Filter as needed. references: - https://redcanary.com/threat-detection-report/threats/TA551/ diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/endpoint/office_product_spawning_mshta.yml index 73deb19398..43df33f0ae 100644 --- a/detections/endpoint/office_product_spawning_mshta.yml +++ b/detections/endpoint/office_product_spawning_mshta.yml @@ -20,15 +20,19 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe", "onenote.exe","onenotem.exe", - "msaccess.exe","Graph.exe","winproj.exe") `process_mshta` by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + "msaccess.exe","Graph.exe","winproj.exe") `process_mshta` by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.original_file_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: No false positives known. Filter as needed. references: - https://redcanary.com/threat-detection-report/threats/TA551/ diff --git a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml index a0f1fb6803..d116732dd5 100644 --- a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml +++ b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml @@ -20,15 +20,19 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", - "msaccess.exe", "Graph.exe","winproj.exe") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest - Processes.user Processes.parent_process Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + "msaccess.exe", "Graph.exe","winproj.exe") `process_rundll32` (Processes.process!=*.dll*) + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, but if any are present, filter as needed. references: diff --git a/detections/endpoint/office_product_spawning_windows_script_host.yml b/detections/endpoint/office_product_spawning_windows_script_host.yml index 29c521a044..4d5508e44b 100644 --- a/detections/endpoint/office_product_spawning_windows_script_host.yml +++ b/detections/endpoint/office_product_spawning_windows_script_host.yml @@ -13,15 +13,20 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", - "msaccess.exe","Graph.exe","winproj.exe") Processes.process_name IN ("wscript.exe", "cscript.exe") by Processes.dest - Processes.user Processes.parent_process Processes.process_name Processes.original_file_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_windows_script_host_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + "msaccess.exe","Graph.exe","winproj.exe") Processes.process_name IN ("wscript.exe", + "cscript.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `office_product_spawning_windows_script_host_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present based on macro based approved documents in the organization. Filtering may be needed. references: diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/endpoint/office_product_spawning_wmic.yml index b878783aba..a3dbffeed3 100644 --- a/detections/endpoint/office_product_spawning_wmic.yml +++ b/detections/endpoint/office_product_spawning_wmic.yml @@ -19,16 +19,20 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") - `process_wmic` by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `office_product_spawning_wmic_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", + "Graph.exe","winproj.exe") `process_wmic` by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: No false positives known. Filter as needed. references: - https://app.any.run/tasks/fb894ab8-a966-4b72-920b-935f41756afd/ diff --git a/detections/endpoint/office_spawning_control.yml b/detections/endpoint/office_spawning_control.yml index 434afcd7f3..a381ec4131 100644 --- a/detections/endpoint/office_spawning_control.yml +++ b/detections/endpoint/office_spawning_control.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `office_spawning_control_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives should be present. references: - https://strontic.github.io/xcyclopedia/library/control.exe-1F13E714A0FEA8887707DFF49287996F.html diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index a574a32798..aed025f33e 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -25,9 +25,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate Java applications may use perform outbound connections to these ports. Filter as needed references: diff --git a/detections/endpoint/password_policy_discovery_with_net.yml b/detections/endpoint/password_policy_discovery_with_net.yml index 661f407d34..0537a7bf27 100644 --- a/detections/endpoint/password_policy_discovery_with_net.yml +++ b/detections/endpoint/password_policy_discovery_with_net.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml index 60cd6a95aa..55491b6922 100644 --- a/detections/endpoint/permission_modification_using_takeown_app.yml +++ b/detections/endpoint/permission_modification_using_takeown_app.yml @@ -16,10 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: takeown.exe is a normal windows application that may used by network operator. references: diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index 4c2dcda256..9567b07bb4 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -21,10 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator or network operator may execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/possible_browser_pass_view_parameter.yml b/detections/endpoint/possible_browser_pass_view_parameter.yml index fcabe6461d..31e70ecd7e 100644 --- a/detections/endpoint/possible_browser_pass_view_parameter.yml +++ b/detections/endpoint/possible_browser_pass_view_parameter.yml @@ -25,10 +25,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positive is quite limited. Filter is needed references: - https://www.nirsoft.net/utils/web_browser_password.html diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 1adcaca163..da0b8f99b4 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -5,9 +5,16 @@ date: '2023-04-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ +description: 'The following analytic is designed to identify possible lateral movement + attacks that involve the spawning of a PowerShell process as a child or grandchild + process of commonly abused processes. These processes include services.exe, wmiprsve.exe, + svchost.exe, wsmprovhost.exe, and mmc.exe.\ - Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. + Such behavior is indicative of legitimate Windows features such as the Service Control + Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, + and the DCOM protocol being abused to start a process on a remote endpoint. This + behavior is often seen during lateral movement techniques where adversaries or red + teams abuse these services for lateral movement and remote code execution.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -19,9 +26,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed. references: diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml index afd14aa123..e35b169b15 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml @@ -24,11 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. You will also need to install the Machine Learning Toolkit version 5.3 - or above to apply the pretrained model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml index b434eb0b62..92cdaca570 100644 --- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml @@ -22,11 +22,15 @@ search: "| tstats `security_content_summariesonly` count min(_time) as firstTime \ Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`\ \ | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013\ |\u2014|\u2015]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`" -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate process can have this combination of command-line options, but it's not common. references: diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index 9d50af0797..c4b6435046 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -5,9 +5,9 @@ date: '2022-07-15' author: Michael Haag, Splunk status: production type: TTP -description: This search identifies a modification in registry to disable the - windows defender real time behavior monitoring. This event or technique is commonly - seen in RATs, bots, or Trojans to disable AV to evade detections. +description: This search identifies a modification in registry to disable the windows + defender real time behavior monitoring. This event or technique is commonly seen + in RATs, bots, or Trojans to disable AV to evade detections. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives. However, tune based on scripts that may perform this action. references: @@ -34,7 +38,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Windows Defender Real-time Behavior Monitoring disabled on $dest$ + message: Windows Defender Real-time Behavior Monitoring disabled on $dest$ mitre_attack_id: - T1562.001 - T1562 diff --git a/detections/endpoint/powershell_get_localgroup_discovery.yml b/detections/endpoint/powershell_get_localgroup_discovery.yml index b2c8dc9d94..408e11f005 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present. Tune as needed. references: - https://attack.mitre.org/techniques/T1069/001/ diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index 6baec62181..ccfa90e5f4 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments. diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml index 39cb4c7537..3379fdbe8d 100644 --- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml +++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed bcdedit.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may modify the boot configuration ignore failure during testing and debugging. references: diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml index 7b372b51ef..ab6d1495a9 100644 --- a/detections/endpoint/process_execution_via_wmi.yml +++ b/detections/endpoint/process_execution_via_wmi.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter` ' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints to populate the Endpoint - data model in the Processes node. The command-line arguments are mapped to the "process" - field in the Endpoint data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, administrators may use wmi to execute commands for legitimate purposes. references: [] diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml index 3231992cd0..f4b3b9e6b6 100644 --- a/detections/endpoint/process_kill_base_on_file_path.yml +++ b/detections/endpoint/process_kill_base_on_file_path.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml index 881ca3cd3a..d9a490d0d6 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/endpoint/processes_launching_netsh.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml index 2ee1221ffb..ddad2456ca 100644 --- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml +++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network operator may use this batch command to delete recursively a directory or files within directory references: diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index 4051926fd2..8cb739224a 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -16,12 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records registry activity from your hosts to populate the endpoint data model - in the registry node. This is typically populated via endpoint detection-and-response - product, such as Carbon Black or endpoint data sources, such as Sysmon. The data - used for this search is typically generated via logs that report reads and writes - to the registry. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate. diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index 0ffd192375..4bb6eead6d 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/][Ss]{1}") | `regsvr32_silent_and_install_param_dll_loading_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Other third part application may used this parameter but not so common in base windows environment. references: diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index 3743d62d8c..db02c34cdf 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/][Ss]{1}") | `regsvr32_with_known_silent_switch_cmdline_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: minimal. but network operator can use this application to load dll. references: diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml index 1c2e06e29a..5d3877de36 100644 --- a/detections/endpoint/remcos_client_registry_install_entry.yml +++ b/detections/endpoint/remcos_client_registry_install_entry.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical - Sysmon TA. https://splunkbase.splunk.com/app/570 +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://attack.mitre.org/software/S0332/ diff --git a/detections/endpoint/remote_desktop_process_running_on_system.yml b/detections/endpoint/remote_desktop_process_running_on_system.yml index 2749375633..9a0abf3fde 100644 --- a/detections/endpoint/remote_desktop_process_running_on_system.yml +++ b/detections/endpoint/remote_desktop_process_running_on_system.yml @@ -16,14 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` ' -how_to_implement: To successfully implement this search, you must be ingesting data - that records process activity from your hosts to populate the endpoint data model - in the processes node. The search requires you to identify systems that do not commonly - use remote desktop. You can use the included support search "Identify Systems Using - Remote Desktop" to identify these systems. After identifying them, you will need - to add the "common_rdp_source" category to that system using the Enterprise Security - Assets and Identities framework. This can be done by adding an entry in the assets.csv - file located in `SA-IdentityManagement/lookups`. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Remote Desktop may be used legitimately by users on the network. references: [] tags: diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 6943bcfa99..49658c595e 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. references: diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index a82c5b7e6e..378100fa4c 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users. diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index 56fee65ba6..aebe442a2b 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml index 95eb915a58..c1722a0c20 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon. diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml index 1833d4f7d9..db6115819a 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime create*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml index 9a330407d2..5f2f4b5897 100644 --- a/detections/endpoint/remote_system_discovery_with_dsquery.yml +++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/endpoint/remote_system_discovery_with_net.yml index 2de7076d43..628aff423a 100644 --- a/detections/endpoint/remote_system_discovery_with_net.yml +++ b/detections/endpoint/remote_system_discovery_with_net.yml @@ -19,9 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml index 27db19dd4f..23fbc224db 100644 --- a/detections/endpoint/remote_system_discovery_with_wmic.yml +++ b/detections/endpoint/remote_system_discovery_with_wmic.yml @@ -19,9 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml index 8c50722c7f..e92b831bff 100644 --- a/detections/endpoint/remote_wmi_command_attempt.yml +++ b/detections/endpoint/remote_wmi_command_attempt.yml @@ -17,12 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. Deprecated because duplicate of Remote Process Instantiation via - WMI. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may use this legitimately to gather info from remote systems. Filter as needed. references: diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml index 78d5d553da..8d7ac34b4e 100644 --- a/detections/endpoint/resize_shadowstorage_volume.yml +++ b/detections/endpoint/resize_shadowstorage_volume.yml @@ -23,10 +23,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `resize_shadowstorage_volume_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network admin can resize the shadowstorage for valid purposes. references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml index 14e6f09d30..42e03be2aa 100644 --- a/detections/endpoint/revil_common_exec_parameter.yml +++ b/detections/endpoint/revil_common_exec_parameter.yml @@ -16,10 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: third party tool may have same command line parameters as revil ransomware. references: diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml index 823932d4d2..7ab01e5dd9 100644 --- a/detections/endpoint/revil_registry_entry.yml +++ b/detections/endpoint/revil_registry_entry.yml @@ -25,10 +25,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical - Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml index 4a298022b1..829aeb2c8a 100644 --- a/detections/endpoint/rubeus_command_line_parameters.yml +++ b/detections/endpoint/rubeus_command_line_parameters.yml @@ -27,10 +27,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed. references: diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml index f2f91a88bc..14511932e0 100644 --- a/detections/endpoint/runas_execution_in_commandline.yml +++ b/detections/endpoint/runas_execution_in_commandline.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed. diff --git a/detections/endpoint/rundll32_control_rundll_hunt.yml b/detections/endpoint/rundll32_control_rundll_hunt.yml index b50b9325a3..4e8f6bbac2 100644 --- a/detections/endpoint/rundll32_control_rundll_hunt.yml +++ b/detections/endpoint/rundll32_control_rundll_hunt.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment. references: diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml index d28137cd0f..e9eb1cdc8b 100644 --- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml +++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml @@ -22,11 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_world_writable_directory_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed. references: diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index 128167f802..212fa1eb83 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://threadreaderapp.com/thread/1423361119926816776.html diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml index 444c418c33..de08051a8f 100644 --- a/detections/endpoint/rundll32_shimcache_flush.yml +++ b/detections/endpoint/rundll32_shimcache_flush.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://blueteamops.medium.com/shimcache-flush-89daff28d15e diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index 444db9572a..1bfe52fe6d 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -24,13 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `rundll32_with_no_command_line_arguments_with_network_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node. - To successfully implement this search you need to be ingesting information on process - that include the name of the process responsible for the changes from your endpoints - into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the - latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. references: diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml index 6867d4e118..80efc90be6 100644 --- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml +++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"rundll32.+\#\d+") | `rundll_loading_dll_by_ordinal_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query. diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index c1d2fe0d07..29a85e4c35 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -22,9 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ryuk_wake_on_lan_command_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited to no known false positives. references: - https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index c30a5db1ff..e87919ee87 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -15,9 +15,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate. diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 2c18760f2d..3f597ee292 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -5,9 +5,22 @@ date: '2021-11-11' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ +description: 'The following analytic detects the creation of suspicious tasks on a + remote Windows endpoint using the at.exe command with command-line arguments. This + technique is commonly used by red teams and adversaries for lateral movement and + remote code execution. The at.exe binary leverages the deprecated AT protocol, which + may still work on previous versions of Windows. Attackers can enable this protocol + on demand by modifying a system registry key. It is important to consider potential + false positives. While administrators may create scheduled tasks on remote systems, + this activity is typically limited to a small set of hosts or users.\ - Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. + Identifying the creation of scheduled tasks on remote endpoints is crucial for a + Security Operations Center (SOC) because it indicates potential unauthorized activity + or an attacker attempting to establish persistence or execute malicious code. The + impact of a true positive can be significant, leading to unauthorized access, data + theft, or other damaging outcomes. During triage, investigate the source and purpose + of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent + processes to identify the extent of the attack and take appropriate response actions.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -16,9 +29,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. references: diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 8505c38fb5..ce195e5cb0 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -5,12 +5,15 @@ date: '2023-04-05' author: Bhavin Patel, Splunk status: production type: TTP -description: This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility - with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors - like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity - related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these - specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of - scheduled tasks in the BadRabbit Ransomware incident. +description: This analytic focuses on identifying the creation or deletion of scheduled + tasks using the schtasks.exe utility with the corresponding command-line flags (-create + or -delete). This technique has been notably associated with threat actors like + Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic + is to detect suspicious activity related to scheduled tasks that could indicate + malicious intent or unauthorized system manipulation. By monitoring for these specific + command-line flags, we can enhance our ability to identify potential threats and + prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware + incident. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -19,12 +22,19 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter` ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: While it is possible for legitimate scripts or administrators + to trigger this behavior, filtering can be applied based on the parent process and + application to reduce false positives. Analysts should reference the provided references + to understand the context and threat landscape associated with this activity. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ - https://www.joesandbox.com/analysis/691823/0/html diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index d6ff47aeeb..b61efd6c77 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -5,7 +5,14 @@ date: '2021-11-11' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. +description: This analytic detects instances of 'schtasks.exe' being used to start + a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler + for lateral movement and remote code execution. The search parameters include process + details such as the process name, parent process, and command-line executions. + Although legitimate administrators may start scheduled tasks on remote systems, + this activity is usually limited to a small set of hosts or users. The findings + from this analytic provide valuable insight into potentially malicious activities + on an endpoint. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -14,9 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. references: diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index 8f66aec11e..1641839fa2 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -5,7 +5,12 @@ date: '2023-04-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. +description: The following analytic is designed to detect when a Windows Scheduled + Task is executed on demand via shell or command line. Adversaries often force the + execution of their created Scheduled Tasks for persistent access or lateral movement + within a compromised machine. This analytic is driven by process-related data, specifically + process name, parent process, and command-line executions, sourced from endpoint + logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -14,11 +19,18 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.process = "*/run*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed schtasks.exe may be used. -known_false_positives: Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Bear in mind, administrators debugging Scheduled Task entries + may trigger this analytic, necessitating fine-tuning and filtering to distinguish + between legitimate and potentially malicious use of 'schtasks.exe'. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ tags: diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 0198e2799d..cd8c096ebe 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -5,7 +5,14 @@ date: '2022-05-23' author: David Dorsey, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. +description: The following analytic is designed to detect suspicious command-line + arguments executed through 'schtasks.exe' to create a scheduled task on a remote + endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' + has been used with specific command-line flags that suggest an attempt at lateral + movement or remote code execution, common techniques employed by adversaries and + red teams. Key data points include the process name, the specific command line used, + the parent process name, the target destination, and the user involved. Also, timestamp + data gives context to when these activities occurred. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -14,12 +21,18 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process="*/s*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. -known_false_positives: While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: While it is possible to have false positives, due to legitimate + administrative tasks, these are usually limited and should still be validated and + investigated as appropriate. references: [] tags: analytic_story: diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index cbea55c8ed..ccb90527da 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -5,7 +5,15 @@ date: '2020-12-07' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. +description: The following analytic utilizes a Splunk query to pinpoint potential + threats by monitoring the 'schtasks.exe' command-line usage. This particular command, + especially when used in tandem with 'shutdown' and '/create' flags, can suggest + an adversarial force intending to schedule unwarranted system reboots. The query + focuses on endpoint process data and retrieves details such as the process name, + the parent process name, the destination, and the user involved. Essential to the + investigation are the earliest and latest timestamps of these events, providing + an activity timeline. Data such as the targeted host and initiating user offer valuable + context for analyst. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -14,12 +22,18 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This analytic may also capture legitimate administrative activities + such as system updates or maintenance tasks, which can be classified as false positives. + Filter as needed. references: [] tags: analytic_story: diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml index bb8c2cda02..b5c3cc0f85 100644 --- a/detections/endpoint/script_execution_via_wmi.yml +++ b/detections/endpoint/script_execution_via_wmi.yml @@ -5,7 +5,18 @@ date: '2020-03-16' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. +description: The following analytic is designed to detect the potential misuse of + Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized + by adversaries to execute scripts, a method often employed for maintaining stealth + while carrying out malicious activities. The process 'scrcons.exe', integral to + executing WMI scripts, is primarily monitored by this analytic. The underlying threat + lies in the fact that successful execution of a malicious script can lead to numerous + negative outcomes, including system compromise, data exfiltration, or the establishment + of persistence. It's essential for cybersecurity analysts to remain vigilant towards + unexpected or isolated script executions via WMI, as such instances often signal + suspicious activities or potential security breaches. Although uncommon, administrators + may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning + malicious activities from benign ones is crucial in this context. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -13,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter` ' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints to populate the Endpoint - data model in the Processes node. The command-line arguments are mapped to the "process" - field in the Endpoint data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. references: diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml index edf8701718..1e55241179 100644 --- a/detections/endpoint/sdclt_uac_bypass.yml +++ b/detections/endpoint/sdclt_uac_bypass.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical - Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited to no false positives are expected. references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml index 80e781d21a..d2a84ab1cf 100644 --- a/detections/endpoint/sdelete_application_execution.yml +++ b/detections/endpoint/sdelete_application_execution.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: user may execute and use this application references: - https://app.any.run/tasks/956f50be-2c13-465a-ac00-6224c14c5f89/ diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml index 6282e5a9f7..521121a156 100644 --- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml +++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml @@ -23,9 +23,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` and `ports` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives may be present in small environments. Tuning may be required based on parent process. references: diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml index 23317fc878..5accd51ed6 100644 --- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml +++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `secretdumps_offline_ntds_dumping_tool_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml index 8c9c7dd6f3..f180e80462 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml @@ -37,11 +37,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `serviceprincipalnames_discovery_with_setspn_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed. references: diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml index 4e7bb63c84..8640c5cb6d 100644 --- a/detections/endpoint/services_escalate_exe.yml +++ b/detections/endpoint/services_escalate_exe.yml @@ -25,8 +25,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_escalate_exe_filter`' -how_to_implement: To successfully implement this search, you will need to ensure that - DNS data is populating the Network_Resolution data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed. references: diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml index 54f6922d45..35cafa383d 100644 --- a/detections/endpoint/services_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml @@ -30,9 +30,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate applications may trigger this behavior, filter as needed. references: diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index a345fceaea..24c60b0206 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -22,10 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical - Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to "unrestricted" or "bypass" as this search is designed to identify, would be unusual. Hits should diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index 150a54a207..be8dc202ce 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified references: [] tags: diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml index 972480b67d..17506eb9f0 100644 --- a/detections/endpoint/silentcleanup_uac_bypass.yml +++ b/detections/endpoint/silentcleanup_uac_bypass.yml @@ -23,10 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical - Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://github.com/hfiref0x/UACME diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml index 895b812d07..909a5671d6 100644 --- a/detections/endpoint/single_letter_process_on_endpoint.yml +++ b/detections/endpoint/single_letter_process_on_endpoint.yml @@ -15,11 +15,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime endExe = if(substr(process_name, -4) == ".exe", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process. references: [] diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index 8e8303bdeb..53526e61b2 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -19,9 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_runas_elevated_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives should be present as this is not commonly used by legitimate applications. references: diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 970b792cc5..039e57fff7 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -19,9 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring. references: diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml index dbe539ff7b..24a8fb1494 100644 --- a/detections/endpoint/spoolsv_spawning_rundll32.yml +++ b/detections/endpoint/spoolsv_spawning_rundll32.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver. references: diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index e2b5685182..95e7339198 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -12,23 +12,25 @@ description: This analytic is to detect a suspicious copy of file from systemroo but this is really a anomaly that needs to be check within the network. data_source: - Sysmon Event ID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.parent_process_name IN("cmd.exe", "powershell*","pwsh.exe", "sqlps.exe", "sqltoolsps.exe", "powershell_ise.exe") +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + IN("cmd.exe", "powershell*","pwsh.exe", "sqlps.exe", "sqltoolsps.exe", "powershell_ise.exe") AND `process_copy` AND Processes.process IN("*\\Windows\\System32\\*", "*\\Windows\\SysWow64\\*") - AND Processes.process = "*copy*" - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp - | `drop_dm_object_name(Processes)` - | eval splitted_commandline=split(process," ") - | eval first_cmdline=lower(mvindex(splitted_commandline,0)) - | where NOT LIKE(first_cmdline,"%\\windows\\system32\\%") AND NOT LIKE(first_cmdline,"%\\windows\\syswow64\\%") - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - |`suspicious_copy_on_system32_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + AND Processes.process = "*copy*" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + temp | `drop_dm_object_name(Processes)` | eval splitted_commandline=split(process," + ") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) | where NOT LIKE(first_cmdline,"%\\windows\\system32\\%") + AND NOT LIKE(first_cmdline,"%\\windows\\syswow64\\%") | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: every user may do this event but very un-ussual. references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml index 43f0d0e2a4..1d8f33c8bf 100644 --- a/detections/endpoint/suspicious_curl_network_connection.yml +++ b/detections/endpoint/suspicious_curl_network_connection.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. Filter as needed. references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml index ec10fa68a3..2d30524090 100644 --- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" | `suspicious_dllhost_no_command_line_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives may be present in small environments. Tuning may be required based on parent process. references: diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml index 29a48aa774..888596ce00 100644 --- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)" | `suspicious_gpupdate_no_command_line_arguments_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives may be present in small environments. Tuning may be required based on parent process. references: diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml index 7ccc09bd45..6f71e8fcb5 100644 --- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml +++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: limitted. this parameter is not commonly used by windows application but can be used by the network operator. references: diff --git a/detections/endpoint/suspicious_linux_discovery_commands.yml b/detections/endpoint/suspicious_linux_discovery_commands.yml index d8085344d1..7f8eb4c13a 100644 --- a/detections/endpoint/suspicious_linux_discovery_commands.yml +++ b/detections/endpoint/suspicious_linux_discovery_commands.yml @@ -22,9 +22,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter`' -how_to_implement: This detection search is based on Splunk add-on for Microsoft Sysmon-Linux.(https://splunkbase.splunk.com/app/6176/). - Please install this add-on to parse fields correctly and execute detection search. - Consider customizing the time window and threshold values according to your environment. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored. references: diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml index 2b6dcd41d1..79fe61e185 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive. references: diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml index 1abdf8ecf7..1a0d7dc84c 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM. references: diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml index b077b803e7..95be6f0226 100644 --- a/detections/endpoint/suspicious_msbuild_path.yml +++ b/detections/endpoint/suspicious_msbuild_path.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will diff --git a/detections/endpoint/suspicious_msbuild_rename.yml b/detections/endpoint/suspicious_msbuild_rename.yml index 990348ae6e..36718b4ba3 100644 --- a/detections/endpoint/suspicious_msbuild_rename.yml +++ b/detections/endpoint/suspicious_msbuild_rename.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive. references: diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml index 373a1cd15f..5ff76d6227 100644 --- a/detections/endpoint/suspicious_msbuild_spawn.yml +++ b/detections/endpoint/suspicious_msbuild_spawn.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. references: diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index 2faa81a092..29d4cea38a 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -21,10 +21,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. references: diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml index ef28b43cf6..c86d4c347b 100644 --- a/detections/endpoint/suspicious_mshta_spawn.yml +++ b/detections/endpoint/suspicious_mshta_spawn.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. references: diff --git a/detections/endpoint/suspicious_plistbuddy_usage.yml b/detections/endpoint/suspicious_plistbuddy_usage.yml index 717d60d71d..bab9808487 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage.yml @@ -37,9 +37,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. diff --git a/detections/endpoint/suspicious_process_executed_from_container_file_filter.yml b/detections/endpoint/suspicious_process_executed_from_container_file_filter.yml index 2afd72ceac..04d64d4076 100644 --- a/detections/endpoint/suspicious_process_executed_from_container_file_filter.yml +++ b/detections/endpoint/suspicious_process_executed_from_container_file_filter.yml @@ -5,16 +5,30 @@ date: '2023-06-13' author: Steven Dick status: production type: TTP -description: This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. +description: This analytic identifies a suspicious process spawned by another process + from within common container/archive file types. This technique was a common technique + used by adversaries and malware to execute scripts or evade defenses. This TTP may + detect some normal software installation or user behaviors where opening archive + files is common. data_source: - Sysmon 1 - Windows Security 4688 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*") AND Processes.action="allowed" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$" | rex field=process "(?i).+\\\\(?[^\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*") + AND Processes.action="allowed" by Processes.dest Processes.parent_process Processes.process + Processes.user| `drop_dm_object_name(Processes)`| regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$" + | rex field=process "(?i).+\\\\(?[^\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"| + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Various business process or userland applications and behavior. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations @@ -24,12 +38,12 @@ tags: analytic_story: - Unusual Processes asset_type: Endpoint - confidence: 20 + confidence: 20 impact: 80 message: A suspicious process $process_name$ was launched from $file_name$ on $dest$. mitre_attack_id: - - T1204.002 - - T1036.008 + - T1204.002 + - T1036.008 observable: - name: dest type: Endpoint @@ -49,9 +63,9 @@ tags: - Splunk Cloud required_fields: - _time - - Processes.dest - - Processes.parent_process - - Processes.process + - Processes.dest + - Processes.parent_process + - Processes.process - Processes.user risk_score: 16 security_domain: endpoint @@ -60,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 93419d33fe..d3748b72d3 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -5,12 +5,14 @@ date: '2023-06-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies a suspicious processes running in file paths - that are not typically associated with legitimate software. Adversaries often employ this technique - to drop and execute malicious executables in accessible locations that do not require administrative privileges. - By monitoring for processes running in such unconventional file paths, we can identify potential indicators of - compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system - security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. +description: This analytic identifies a suspicious processes running in file paths + that are not typically associated with legitimate software. Adversaries often employ + this technique to drop and execute malicious executables in accessible locations + that do not require administrative privileges. By monitoring for processes running + in such unconventional file paths, we can identify potential indicators of compromise + and proactively respond to malicious activity. This analytic plays a crucial role + in enhancing system security by pinpointing suspicious behaviors commonly associated + with malware and unauthorized software execution. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process_name) @@ -25,9 +27,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. references: diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index 4c5a58dda3..cecc8cbac0 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` ' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out. @@ -38,7 +42,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to add a registry entry. mitre_attack_id: - T1112 observable: diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 77296cf780..6088ebe792 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -6,25 +6,27 @@ author: Michael Haag, Splunk status: production type: TTP description: Adversaries may abuse Regsvr32.exe to proxy execution of malicious code - by using non-standard file extensions to load DLLs. Upon investigating, - look for network connections to remote destinations (internal or external). Review - additional parrallel processes and child processes for additional activity. + by using non-standard file extensions to load DLLs. Upon investigating, look for + network connections to remote destinations (internal or external). Review additional + parrallel processes and child processes for additional activity. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process IN ("*.dll*", "*.ax*", "*.ocx*")) - by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints, to populate the Endpoint - data model in the Processes node. The command-line arguments are mapped to the "process" - field in the Endpoint data model. Tune the query by filtering additional extensions - found to be used by legitimate processes. To successfully implement this search - you need to be ingesting information on process that include the name of the process - responsible for the changes from your endpoints into the `Endpoint` datamodel in - the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is - installed and the latest TA for the endpoint product. + as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process + IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process + IN ("*.dll*", "*.ax*", "*.ocx*")) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.original_file_name Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues. references: @@ -42,7 +44,9 @@ tags: asset_type: Endpoint confidence: 50 impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard + file extension. mitre_attack_id: - T1218 - T1218.010 diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index 1d8c98c32f..3b228eb74a 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names. @@ -44,8 +48,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. - code + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to register a DLL. code mitre_attack_id: - T1218 - T1218.011 diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index e672e78c55..c8d52d74de 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(rundll32\.exe.{0,4}$)" | `suspicious_rundll32_no_command_line_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. references: diff --git a/detections/endpoint/suspicious_rundll32_plugininit.yml b/detections/endpoint/suspicious_rundll32_plugininit.yml index e9cc80bd2e..f6c2b189c0 100644 --- a/detections/endpoint/suspicious_rundll32_plugininit.yml +++ b/detections/endpoint/suspicious_rundll32_plugininit.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: third party application may used this dll export name to execute function. references: diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index e1691ee157..3e36b2a28c 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -22,11 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed. references: diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 9c6c84890d..139049ce88 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -5,9 +5,17 @@ date: '2021-03-01' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ +description: 'The following analytic, "Suspicious Scheduled Task from Public Directory", + detects the registration of scheduled tasks aimed to execute a binary or script + from public directories, a behavior often associated with malware deployment. It + utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe + is connected with the directories users\public, \programdata\, or \windows\temp + and involves the /create command.\ - The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. + The registration of such scheduled tasks in public directories could suggest that + an attacker is trying to maintain persistence or execute malicious scripts. If confirmed + as a true positive, this could lead to data compromise, unauthorized access, and + potential lateral movement within the network.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -17,10 +25,19 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: The main source of false positives could be the legitimate + use of scheduled tasks from these directories. Careful tuning of this search may + be necessary to suit the specifics of your environment, reducing the rate of false + positives. references: - https://attack.mitre.org/techniques/T1053/005/ tags: diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index d1ed4de967..ae4f0c218c 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives may be present in small environments. Tuning may be required based on parent process. references: diff --git a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml index 4559abc30f..89ab275a7b 100644 --- a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml +++ b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml index 6fc603e530..1204fe9a7e 100644 --- a/detections/endpoint/suspicious_wevtutil_usage.yml +++ b/detections/endpoint/suspicious_wevtutil_usage.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as OR Processes.process="*Application*" OR Processes.process="*trace*") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs. references: diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml index 67a706f9b9..ffcd2f2093 100644 --- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml @@ -5,7 +5,17 @@ date: '2021-11-22' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. +description: The following analytic is designed to spot instances of 'svchost.exe' + initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. + Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, + resulting in the spawning of a malicious command as a child process of 'svchost.exe'. + By tracking child processes of 'svchost.exe' that align with the LOLBAS project, + potential lateral movement activity can be detected. The analytic examines process + details, including the process name, parent process, and command-line executions. + A comprehensive list of LOLBAS processes is included in the search parameters. Although + the analytic might catch legitimate applications exhibiting this behavior, these + instances should be filtered accordingly. The findings from this analytic offer + valuable insight into potentially malicious activities on an endpoint. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -23,9 +33,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate applications may trigger this behavior, filter as needed. references: diff --git a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml index a1ee591c92..f8e47f7fd9 100644 --- a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml +++ b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` - node. In addition, confirm the latest CIM App 4.20 or higher is installed and the - latest TA for the endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed. references: diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 3e65a806ac..698e5db87c 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators debugging servers references: - https://web.archive.org/web/20210119205146/https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index fe75a693bf..d6e94d08f6 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -24,9 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file` | `system_processes_run_from_unexpected_locations_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths. references: diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml index c6c42811f0..655dcfcf41 100644 --- a/detections/endpoint/system_user_discovery_with_query.yml +++ b/detections/endpoint/system_user_discovery_with_query.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 254b242051..d2ff52866b 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -16,9 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml index 2e2d1bddd0..c7360cf772 100644 --- a/detections/endpoint/uninstall_app_using_msiexec.yml +++ b/detections/endpoint/uninstall_app_using_msiexec.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown. references: - https://threadreaderapp.com/thread/1423361119926816776.html diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index c2e3517095..0156a6cbb9 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -21,8 +21,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint where All_Traffic.dest_port = 88 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`' -how_to_implement: To successfully implement this search, you must be ingesting your - endpoint events and populating the Endpoint and Network data models. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Custom applications may leverage the Kerberos protocol. Filter as needed. references: diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml index 86d753a443..af40608681 100644 --- a/detections/endpoint/unload_sysmon_filter_driver.yml +++ b/detections/endpoint/unload_sysmon_filter_driver.yml @@ -17,12 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`unload_sysmon_filter_driver_filter`| table firstTime lastTime dest user count process_name process_id parent_process_name process' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. This search is also shipped with `unload_sysmon_filter_driver_filter` macro, - update this macro to filter out false positives. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown at the moment references: - https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver diff --git a/detections/endpoint/unusually_long_command_line.yml b/detections/endpoint/unusually_long_command_line.yml index 2170b2a707..97e3f4b0b1 100644 --- a/detections/endpoint/unusually_long_command_line.yml +++ b/detections/endpoint/unusually_long_command_line.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships, from your endpoints to populate the Endpoint - data model in the Processes node. The command-line arguments are mapped to the process - field in the Endpoint data model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legitimate applications start with long command lines. references: [] tags: diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml index fede6de02d..7690063eea 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/endpoint/unusually_long_command_line___mltk.yml @@ -17,16 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`' -how_to_implement: You must be ingesting endpoint data that monitors command lines - and populates the Endpoint data model in the Processes node. The command-line arguments - are mapped to the "process" field in the Endpoint data model. In addition, MLTK - version >= 4.2 must be installed on your search heads, along with any required dependencies. - Finally, the support search "Baseline of Command Line Length - MLTK" must be executed - before this detection search, as it builds an ML model over the historical data - used by this search. It is important that this search is run in the same app context - as the associated support search, so that the model created by the support search - is available for use. You should periodically re-run the support search to rebuild - the model with the latest data available in your environment. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell.yml b/detections/endpoint/user_discovery_with_env_vars_powershell.yml index 7bf3c01aec..07651a87d0 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml index c8aec9087c..2ed80eef38 100644 --- a/detections/endpoint/usn_journal_deletion.yml +++ b/detections/endpoint/usn_journal_deletion.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process="*deletejournal*" AND process="*usn*" | `usn_journal_deletion_filter`' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified references: [] tags: diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml index d9558af4db..c058b8c86f 100644 --- a/detections/endpoint/vbscript_execution_using_wscript_app.yml +++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.joesandbox.com/analysis/369332/0/html diff --git a/detections/endpoint/verclsid_clsid_execution.yml b/detections/endpoint/verclsid_clsid_execution.yml index 12127e726d..b1ce99972b 100644 --- a/detections/endpoint/verclsid_clsid_execution.yml +++ b/detections/endpoint/verclsid_clsid_execution.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: windows can used this application for its normal COM object validation. references: diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml index 0068073ae8..d30d991020 100644 --- a/detections/endpoint/w3wp_spawning_shell.yml +++ b/detections/endpoint/w3wp_spawning_shell.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed. diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml index 72c670c062..766264aaa0 100644 --- a/detections/endpoint/wbadmin_delete_system_backups.yml +++ b/detections/endpoint/wbadmin_delete_system_backups.yml @@ -16,9 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter`' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including parent-child relationships from your endpoints to populate the Endpoint - data model in the Processes node. Tune based on parent process names. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may modify the boot configuration. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml index fee4acfb1c..0e68b5c72a 100644 --- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml +++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://labs.vipre.com/trickbot-and-its-modules/ diff --git a/detections/endpoint/wget_download_and_bash_execution.yml b/detections/endpoint/wget_download_and_bash_execution.yml index fa7ba9bd52..d042f6bcca 100644 --- a/detections/endpoint/wget_download_and_bash_execution.yml +++ b/detections/endpoint/wget_download_and_bash_execution.yml @@ -17,12 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is - occurring correctly. If the EDR is not parsing the pipe bash in the command-line, - modifying the analytic will be required. Add parent process name (Processes.parent_process_name) - as needed to filter. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, however filtering may be required. references: diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml index a05fd1da3a..158c48557d 100644 --- a/detections/endpoint/windows_ad_dsrm_account_changes.yml +++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml @@ -7,28 +7,31 @@ type: TTP status: production data_source: - Sysmon Event ID 13 -description: Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) - account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be - used in the same way as a local administrator account. This detection is looking for alterations to the behaviour - of the account via registry. +description: Aside from being used to promote genuine domain controllers, the DSRM + (Directory Services Restore Mode) account can be used to persist within a Domain. + A DC can be configured to allow the DSRM account to logon & be used in the same + way as a local administrator account. This detection is looking for alterations + to the behaviour of the account via registry. search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" Registry.registry_value_data IN ("*1","*2") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid - | `drop_dm_object_name(Registry)` - | join type=outer process_guid [| tstats `security_content_summariesonly` count - FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process - Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid - | `drop_dm_object_name(Processes)`] - | table _time action dest user parent_process_name parent_process process_name process - process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records registry activity from your hosts to populate the endpoint data model - in the registry node. This is typically populated via endpoint detection-and-response - product, such as Carbon Black or endpoint data sources, such as Sysmon. The data - used for this search is typically generated via logs that report reads and writes - to the registry. -known_false_positives: Disaster recovery events. + | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` + count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name + Processes.process Processes.dest Processes.parent_process_name Processes.parent_process + Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action + dest user parent_process_name parent_process process_name process process_guid registry_path + registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Disaster recovery events. references: - https://adsecurity.org/?p=1714 tags: @@ -68,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index b37616845e..e962448b6e 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -22,9 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, and command-line executions from your endpoints. If - you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro. diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml index 17c029e46b..6d21d14a53 100644 --- a/detections/endpoint/windows_apache_benchmark_binary.yml +++ b/detections/endpoint/windows_apache_benchmark_binary.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_apache_benchmark_binary_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as there is a small subset of binaries that contain the original file name of ab.exe. Filter as needed. references: diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml index e99da55811..03e33e0ab9 100644 --- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml +++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter on DLL name or parent process. references: diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml index f412e936af..39b07f00e9 100644 --- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml +++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml @@ -7,22 +7,35 @@ status: production type: Anomaly data_source: - Sysmon Event ID 1 -description: The following analytic identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. - The 'pkgmgr' process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. - Due to the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. - To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell's PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name = pkgmgr.exe Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "*:\\Program Files*")) - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies a potentially suspicious execution + of the 'pkgmgr' process involving the use of an XML input file for package management. + The 'pkgmgr' process, though deprecated in modern Windows systems, was historically + used for managing packages. The presence of an XML input file raises concerns about + the nature of the executed command and its potential impact on the system. Due to + the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity + warrants careful investigation. XML files are commonly used for configuration and + data exchange, making it crucial to ascertain the intentions and legitimacy of the + command. To ensure system security, it is recommended to use up-to-date package + management utilities, such as DISM or PowerShell's PackageManagement module, and + exercise caution when executing commands involving potentially sensitive operations + or files. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe + Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", + "*:\\windows\\syswow64\\*", "*:\\Program Files*")) by Processes.dest Processes.user + Processes.parent_process_name Processes.parent_process_path Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml index 07896c8f77..341b0205ef 100644 --- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml +++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml @@ -22,10 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ diff --git a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml index 1c1abdf7aa..2851ca5d6b 100644 --- a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml +++ b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml @@ -21,12 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | rex field=file_name_association "\.(?[^\.]*$)" | where isnull(extension) and isnotnull(file_name_association) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_change_default_file_association_for_no_file_ext_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records registry activity from your hosts to populate the endpoint data model - in the registry node. This is typically populated via endpoint detection-and-response - product, such as Carbon Black or endpoint data sources, such as Sysmon. The data - used for this search is typically generated via logs that report reads and writes - to the registry. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml index 270207e6f8..27feb0159b 100644 --- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_com_hijacking_inprocserver32_modification_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present and some filtering may be required. references: - https://attack.mitre.org/techniques/T1546/015/ diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index 2759ee34c9..2e817e87c1 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -24,11 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | eval count_of_pattern4 = (mvcount(split(process,"//.."))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better. references: diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index b28a4fb939..764448a769 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Not known at this moment. references: - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml index 8ae53f3832..3e87e0212b 100644 --- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml +++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml @@ -24,11 +24,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.user _time span=30s | where parent_process_id_count>= 10 AND process_id_count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_dcrat_forkbomb_payload_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://cert.gov.ua/article/405538 diff --git a/detections/endpoint/windows_command_shell_fetch_env_variables.yml b/detections/endpoint/windows_command_shell_fetch_env_variables.yml index a68e6966b6..4c709a01d4 100644 --- a/detections/endpoint/windows_command_shell_fetch_env_variables.yml +++ b/detections/endpoint/windows_command_shell_fetch_env_variables.yml @@ -22,11 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: shell process that are not included in this search may cause False positive. Filter is needed. references: diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index cd96dc4215..bda61dca69 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_dumping_lsass_memory_createdump_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what. diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index 702b9861d8..8a1b5c2b74 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network administrator can use this tool for auditing process. references: - https://ss64.com/nt/cmdkey.html diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml index 85c66925d2..293e3b2960 100644 --- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml +++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1552/002/ diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index a8a64525b9..f2730fe0fb 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -22,11 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed. references: diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index 784652179f..9ea1d5122b 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -31,11 +31,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be limited to source control applications and may be required to be filtered out. references: diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml index 9447535437..2d0939efdd 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml @@ -5,18 +5,35 @@ date: '2023-04-24' author: Mauricio Velazco, Splunk status: production type: TTP -data_source : [] -description: The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain - two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. - The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group - policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = "*31B2F340-016D-11D2-945F-00C04FB984F9*" OR Processes.process = "*6AC1786C-016F-11D2-945F-00C04fB984F9*" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_default_group_policy_object_modified_with_gpme_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. +data_source: [] +description: The following analytic leverages the Endpoint datamodel to identify the + potential edition of a default Group Policy Object. A fresh installation of an Active + Directory network will typically contain two default group policy objects `Default + Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers + policy is used to enforce and set policies to all the domain controllers within + the domain environment. The default domain policy is linked to all users and computers + by default. An adversary who has obtained privileged access to an Active Directory + network may modify the default group policy objects to obtain further access, deploy + persistence or execute malware across a large number of hosts. Security teams should + monitor the edition of the default GPOs. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe + (Processes.process =*gpme.msc*) AND (Processes.process = "*31B2F340-016D-11D2-945F-00C04FB984F9*" + OR Processes.process = "*6AC1786C-016F-11D2-945F-00C04fB984F9*" ) by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: The default Group Policy Objects within an AD network may be + legitimately updated for administrative operations, filter as needed. references: - https://attack.mitre.org/techniques/T1484/ - https://attack.mitre.org/techniques/T1484/001 @@ -30,7 +47,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 100 - message: A default group policy object was opened with Group Policy Manage Editor on $dest$ + message: A default group policy object was opened with Group Policy Manage Editor + on $dest$ mitre_attack_id: - T1484 - T1484.001 @@ -55,11 +73,11 @@ tags: - _time - Processes.dest - Processes.user - - Processes.parent_process_name #parent process name - - Processes.parent_process #parent cmdline + - Processes.parent_process_name + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml index c5c4616269..26b74a8144 100644 --- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml +++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml @@ -25,10 +25,15 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical - Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This detection can catch for third party application updates or installation. In this scenario false positive filter is needed. references: diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index 4858a9ee08..aaf4baccdf 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_event_logging_disable_http_logging_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other. references: diff --git a/detections/endpoint/windows_diskcryptor_usage.yml b/detections/endpoint/windows_diskcryptor_usage.yml index fb1b54842d..4ff1492f15 100644 --- a/detections/endpoint/windows_diskcryptor_usage.yml +++ b/detections/endpoint/windows_diskcryptor_usage.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name. diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml index ef04444fa4..b309bd4170 100644 --- a/detections/endpoint/windows_diskshadow_proxy_execution.yml +++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on processes that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,confirm - the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint - product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter` diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml index 15540d01fe..4247f0d04b 100644 --- a/detections/endpoint/windows_dism_remove_defender.yml +++ b/detections/endpoint/windows_dism_remove_defender.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_remove_defender_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed. references: diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt.yml index 44c64c0db7..cf72279882 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt.yml @@ -26,12 +26,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename parent_process_name as "Process Name" process_name AS ImageLoaded process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. This may only with with Sysmon data and the Sysmon TA. Your mileage - may vary. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be present based on paths. Filter or add other paths to the exclusion as needed. references: diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml index d093df53ea..1cd3df61fd 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_dll_search_order_hijacking_with_iscsicpl_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe. references: diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml index 33d56c45b0..7bafb0f70c 100644 --- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml @@ -7,21 +7,28 @@ status: production type: Anomaly data_source: - Sysmon Event ID 1 -description: The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. - This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses - dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. - This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where (Processes.parent_process_name = "calc.exe") AND Processes.process_name != "win32calc.exe" - by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest - | `drop_dm_object_name("Processes")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_dll_side_loading_process_child_of_calc_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process - that include the name of the process responsible for the changes from your endpoints into the `Endpoint` - datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and - the latest TA for the endpoint product. +description: The following analytic identifies the suspicious child process of calc.exe + due to dll side loading technique to execute another executable. This technique + was seen in qakbot malware that uses dll side loading technique to calc applications + to load its malicious dll code. The malicious dll that abuses dll side loading technique + will load the actual qakbot loader dll using regsvr32.exe application. This TTP + is a good indicator of qakbot since the calc.exe will not load other child processes + aside from win32calc.exe. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name + = "calc.exe") AND Processes.process_name != "win32calc.exe" by Processes.parent_process + Processes.process_name Processes.process_id Processes.process_guid Processes.process + Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml index 6940e99e5e..a1b5044f1f 100644 --- a/detections/endpoint/windows_dns_gather_network_info.yml +++ b/detections/endpoint/windows_dns_gather_network_info.yml @@ -7,19 +7,32 @@ type: Anomaly status: production data_source: - Sysmon Event ID 1 -description: The following analytic identifies a process command line used to enumerate DNS records. Adversaries, threat actors, or red teamers may employ this technique to gather information about a victim's DNS, which can be utilized during targeting. This method was also observed as part of a tool used by the Sandworm APT group in a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, an attacker can enumerate DNS records for specific domains within the targeted network, potentially aiding in further attacks. This anomaly detection can serve as a valuable starting point for identifying users and hostnames that may be compromised or targeted by adversaries seeking to collect data information. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name = "dnscmd.exe" Processes.process = "* /enumrecords *" - by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest - | `drop_dm_object_name("Processes")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies a process command line used to enumerate + DNS records. Adversaries, threat actors, or red teamers may employ this technique + to gather information about a victim's DNS, which can be utilized during targeting. + This method was also observed as part of a tool used by the Sandworm APT group in + a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, + an attacker can enumerate DNS records for specific domains within the targeted network, + potentially aiding in further attacks. This anomaly detection can serve as a valuable + starting point for identifying users and hostnames that may be compromised or targeted + by adversaries seeking to collect data information. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dnscmd.exe" + Processes.process = "* /enumrecords *" by Processes.parent_process Processes.process_name + Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_gather_network_info_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process - that include the name of the process responsible for the changes from your endpoints into the `Endpoint` - datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and - the latest TA for the endpoint product. -known_false_positives: network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network administrator can execute this command to enumerate + DNS record. Filter or add other paths to the exclusion as needed. references: - https://cert.gov.ua/article/3718487 - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF @@ -62,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index 0378b37200..d402e3a1d3 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -23,11 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml index 94a31e764f..7a2f5ae2d4 100644 --- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml +++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_execute_arbitrary_commands_with_msdt_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed. references: diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index 73563de677..946ee02fb3 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -7,22 +7,31 @@ status: production type: TTP data_source: - Sysmon Event ID 1 -description: This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. - This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. - By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. - Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. - Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name IN( "icacls.exe", "cacls.exe","xcacls.exe") - AND Processes.process IN ("*:R*", "*:W*", "*:F*", "*:C*",, "*:N*","*/P*", "*/E*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: This analytic aims to identify potential adversaries who manipulate the + security permissions of specific files or directories. This technique is frequently + observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. + By modifying the security permissions, adversaries seek to evade detection and impede + access to their component files. Such actions indicate a deliberate effort to maintain + control over compromised systems and hinder investigation or remediation efforts. + Detecting these security permission changes can serve as a valuable indicator of + an ongoing attack and enable timely response to mitigate the impact of the adversary's + activities. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", + "cacls.exe","xcacls.exe") AND Processes.process IN ("*:R*", "*:W*", "*:F*", "*:C*",, + "*:N*","*/P*", "*/E*") by Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. It is possible some administrative scripts use ICacls. Filter as needed. references: @@ -35,8 +44,9 @@ tags: - 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 confidence: 70 impact: 70 - message: Process name $process_name$ with access right modification argument executed by $user$ to change - security permission of a specific file or directory on host $dest$ + message: Process name $process_name$ with access right modification argument executed + by $user$ to change security permission of a specific file or directory on host + $dest$ mitre_attack_id: - T1222.001 - T1222 diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml index f2513e5ce3..afec35b5c3 100644 --- a/detections/endpoint/windows_findstr_gpp_discovery.yml +++ b/detections/endpoint/windows_findstr_gpp_discovery.yml @@ -6,25 +6,36 @@ author: Mauricio Velazco, Splunk type: TTP status: production data_source: [] -description: The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). - GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. - These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). - While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. +description: The following analytic identifies the use of the findstr command employed + to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools + that allow administrators to create domain policies with embedded credentials. These + policies allow administrators to set local accounts. These group policies are stored + in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL + share and decrypt the password (using the AES key that has been made public). While + Microsoft released a patch that impedes Administrators to create unsecure credentials, + existing Group Policy Preferences files with passwords are not removed from SYSVOL. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe + AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.original_file_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_findstr_gpp_discovery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may leverage findstr to find passwords in GPO + to validate exposure. Filter as needed. references: - https://attack.mitre.org/techniques/T1552/006/ - https://pentestlab.blog/2017/03/20/group-policy-preferences/ -- https://adsecurity.org/?p=2288 +- https://adsecurity.org/?p=2288 - https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ - https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 tags: @@ -60,9 +71,9 @@ tags: - Processes.user - Processes.parent_process_name - Processes.process_name - - Processes.process_id + - Processes.process_id - Processes.parent_process_id - - Processes.original_file_name + - Processes.original_file_name risk_score: 56 security_domain: endpoint tests: @@ -70,4 +81,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml index 9addf6cac9..07ae69911e 100644 --- a/detections/endpoint/windows_identify_protocol_handlers.yml +++ b/detections/endpoint/windows_identify_protocol_handlers.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler="TRUE" | `windows_identify_protocol_handlers_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line. references: diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index 64e17a86c0..8cf0206a78 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -20,12 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter`' -how_to_implement: Tune the analytic for your environment by filtering by known good - modules or processes. Enable as TTP once the volume is low enough. To successfully - implement this search you need to be ingesting information on process that include - the name of the process responsible for the changes from your endpoints into the - `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM - App 4.20 or higher is installed and the latest TA for the endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present until properly tuned. Filter as needed. references: diff --git a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml index 1ef5d57d6e..6ddfb2424e 100644 --- a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml +++ b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may execute this command that may cause some false positive. references: diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml index c80dbb3049..26c43e86bb 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the full process path in the process field of CIM's Process data model. - If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. - Tune and filter known instances where forfiles.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed. references: diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml index 3d4872d990..a8111747c7 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml @@ -17,10 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the full process path in the process field of CIM's Process data model. - If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. - Tune and filter known instances where pcalua.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legacy applications may be run using pcalua.exe. Filter these results as needed. references: diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml index 8b2a0a8e18..314ff1e824 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml @@ -19,12 +19,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as "forfiles.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records registry activity from your hosts to populate the endpoint data model - in the registry node. This is typically populated via endpoint detection-and-response - product, such as Carbon Black or endpoint data sources, such as Sysmon. The data - used for this search is typically generated via logs that report reads and writes - to the registry. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index a4ea32793a..5f3f4d850b 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index 52dba86af0..6d3e12b7d8 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -23,11 +23,15 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names. references: diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml index a87f4d7666..ec9089a0de 100644 --- a/detections/endpoint/windows_installutil_in_non_standard_path.yml +++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index d17cf16767..893590030a 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -30,11 +30,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` and `Ports` node. - In addition, confirm the latest CIM App 4.20 or higher is installed and the latest - TA for the endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml index db2bc46381..90c0ee15aa 100644 --- a/detections/endpoint/windows_installutil_uninstall_option.yml +++ b/detections/endpoint/windows_installutil_uninstall_option.yml @@ -31,11 +31,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_uninstall_option_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives should be present. Filter as needed by parent process or application. references: diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index c23e7f4a91..6b9136ca3f 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -34,11 +34,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` and `Ports` node. - In addition, confirm the latest CIM App 4.20 or higher is installed and the latest - TA for the endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml index c1df6d4594..9b93de1a26 100644 --- a/detections/endpoint/windows_installutil_url_in_command_line.yml +++ b/detections/endpoint/windows_installutil_url_in_command_line.yml @@ -27,11 +27,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_url_in_command_line_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index df9b53f3e5..01c43ca59a 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -18,12 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. Restrict the analytic to publicly facing endpoints to reduce false positives. - Add any additional identified web application process name to the query. Add any - further Windows process names to the macro (ex. LOLBins) to further expand this - query. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that. references: diff --git a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml index df209bcb4d..0c3fded0fa 100644 --- a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml +++ b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml @@ -7,26 +7,38 @@ type: TTP status: production data_source: - Sysmon Event ID 1 -description: This analytic identifies the use of RemCom.exe - The open source psexec. This utility provides the ability to move laterally and run scripts or commands remotely. +description: This analytic identifies the use of RemCom.exe - The open source psexec. + This utility provides the ability to move laterally and run scripts or commands + remotely. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process IN ("*/user:*", "*/pwd:*") - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name - Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe + OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process + IN ("*/user:*", "*/pwd:*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be present based on Administrative use. Filter as needed. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present based on Administrative use. + Filter as needed. references: - - https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - - https://github.com/kavika13/RemCom +- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ +- https://github.com/kavika13/RemCom tags: analytic_story: - Active Directory Discovery asset_type: Endpoint confidence: 50 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to move laterally. mitre_attack_id: - T1570 observable: @@ -54,11 +66,11 @@ tags: - _time - Processes.dest - Processes.user - - Processes.parent_process_name #parent process name - - Processes.parent_process #parent cmdline + - Processes.parent_process_name + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml index 8e8edb3325..4e931da2a9 100644 --- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml +++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml @@ -7,21 +7,42 @@ status: production type: TTP data_source: - Sysmon Event ID 1 -description: The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. - Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. - Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. - -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. - -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. - Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool. +description: The following analytic identifies the use of Ldifde.exe, which provides + the ability to create, modify, or delete LDAP directory objects. Natively, the binary + is only installed on a domain controller. However, adversaries or administrators + may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is + a Microsoft Windows command-line utility used to import or export LDAP directory + entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol + used for accessing and managing directory information services over an IP network. + LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text + data interchange format for representing LDAP directory entries. -i This is a flag + used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an + LDIF file and imports its contents into the LDAP directory. The data in the LDIF + file might include new objects to be created, or modifications or deletions to existing + objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe + will import from (in the case of the -i flag) or export to (without the -i flag). + For example, if you wanted to import data from a file called data.ldif, you would + use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe + is legitimate in many contexts, it can also be used maliciously. For instance, an + attacker who has gained access to a domain controller could potentially use Ldifde.exe + to export sensitive data or make unauthorized changes to the directory. Therefore, + it's important to monitor for unusual or unauthorized use of this tool. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN ("*-i *", "*-f *") - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name - Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe + Processes.process IN ("*-i *", "*-f *") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be present, filter as needed. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present, filter as needed. references: - https://lolbas-project.github.io/lolbas/Binaries/Ldifde/ - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF @@ -31,11 +52,12 @@ tags: analytic_story: - Volt Typhoon asset_type: Endpoint - atomic_guid: + atomic_guid: - 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784 confidence: 50 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller. mitre_attack_id: - T1105 - T1069.002 @@ -64,11 +86,11 @@ tags: - _time - Processes.dest - Processes.user - - Processes.parent_process_name #parent process name - - Processes.parent_process #parent cmdline + - Processes.parent_process_name + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml index 830f54283c..9b0652ae58 100644 --- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml +++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index 5fca729b57..9c13c6eb26 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility. references: diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml index a263d59aa4..8d275c5576 100644 --- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml +++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml @@ -34,10 +34,15 @@ search: '| tstats `security_content_summariesonly` count dc(registry_value_name) dc(registry_value_name) as registry_value_name_count by process_path registry_key_name registry_value_data proc_guid registry_key_name_len registry_value_name_len | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure - that this registry was included in your config files ex. sysmon config to be monitored. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/ diff --git a/detections/endpoint/windows_modify_registry_reg_restore.yml b/detections/endpoint/windows_modify_registry_reg_restore.yml index f4f1305076..a232f325b5 100644 --- a/detections/endpoint/windows_modify_registry_reg_restore.yml +++ b/detections/endpoint/windows_modify_registry_reg_restore.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network administrator can use this command tool to backup registry before updates or modifying critical registries. references: diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml index 109e60e2ee..e82813ca9d 100644 --- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml +++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may execute this command that may cause some false positive. Filter as needed. references: diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index ef07bafe4c..4336d06ebd 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or f diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml index 0259e45c82..3fae5a864d 100644 --- a/detections/endpoint/windows_msiexec_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. references: diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index bbad5f2d6e..b7783b4bd9 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter by destination or parent process as needed. references: diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index b58c590739..5962384716 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query. diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml index ba121d0906..5772d822e6 100644 --- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. references: diff --git a/detections/endpoint/windows_msiexec_with_network_connections.yml b/detections/endpoint/windows_msiexec_with_network_connections.yml index 6223abb2f3..1751bd8ba6 100644 --- a/detections/endpoint/windows_msiexec_with_network_connections.yml +++ b/detections/endpoint/windows_msiexec_with_network_connections.yml @@ -19,13 +19,15 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. Add parent process as a filter, filter known good processes. This - may be voluminous due to the join on process_id. All_Traffic does not have process_guid, - yet. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be present and filtering is required. references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index b9914cc27c..d9b176176f 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ngrok_reverse_proxy_usage_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed. references: diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index db3bdab6c5..fdc676ef62 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage. references: diff --git a/detections/endpoint/windows_nirsoft_utilities.yml b/detections/endpoint/windows_nirsoft_utilities.yml index 00a0074fb9..693acfbeab 100644 --- a/detections/endpoint/windows_nirsoft_utilities.yml +++ b/detections/endpoint/windows_nirsoft_utilities.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software` | `windows_nirsoft_utilities_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present. Filtering may be required before setting to alert. references: diff --git a/detections/endpoint/windows_odbcconf_hunting.yml b/detections/endpoint/windows_odbcconf_hunting.yml index e7ad927e6c..fc2e8513f0 100644 --- a/detections/endpoint/windows_odbcconf_hunting.yml +++ b/detections/endpoint/windows_odbcconf_hunting.yml @@ -14,11 +14,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be present as this is meant to assist with filtering and tuning. references: diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml index 1114188be2..be7861e0bc 100644 --- a/detections/endpoint/windows_odbcconf_load_dll.yml +++ b/detections/endpoint/windows_odbcconf_load_dll.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. references: diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml index 3e63374443..ec9f5c9a94 100644 --- a/detections/endpoint/windows_odbcconf_load_response_file.yml +++ b/detections/endpoint/windows_odbcconf_load_response_file.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. references: diff --git a/detections/endpoint/windows_office_product_spawning_msdt.yml b/detections/endpoint/windows_office_product_spawning_msdt.yml index 2b82ba6b48..d57d42fe7b 100644 --- a/detections/endpoint/windows_office_product_spawning_msdt.yml +++ b/detections/endpoint/windows_office_product_spawning_msdt.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`' -how_to_implement: how To successfully implement this search you need to be ingesting - information on process that include the name of the process responsible for the - changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. - In addition, confirm the latest CIM App 4.20 or higher is installed and the latest - TA for the endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, however filter as needed. references: - https://isc.sans.edu/diary/rss/28694 diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index 1a1aa16705..9e312f6c58 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -7,17 +7,30 @@ status: production type: TTP data_source: - Sysmon Event ID 1 -description: The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system. +description: The following analytic is designed to detect instances where the PaperCut + NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. + This behavior may indicate potential malicious activity, such as an attacker attempting + to gain unauthorized access or execute harmful commands on the affected system. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_papercut_ng_spawn_shell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be present, but most likely not. Filter as needed. + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe + `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_papercut_ng_spawn_shell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present, but most likely not. Filter + as needed. references: - - https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability - - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 +- https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability +- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 tags: analytic_story: - PaperCut MF NG Vulnerability @@ -25,7 +38,8 @@ tags: atomic_guid: [] confidence: 90 impact: 100 - message: The PaperCut NG application has spawned a shell $process_name$ on endpoint $dest$ by $user$. + message: The PaperCut NG application has spawned a shell $process_name$ on endpoint + $dest$ by $user$. mitre_attack_id: - T1059 - T1190 @@ -52,11 +66,11 @@ tags: - _time - Processes.dest - Processes.user - - Processes.parent_process_name #parent process name - - Processes.parent_process #parent cmdline + - Processes.parent_process_name + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml index 7a40b2c22a..1799ba1350 100644 --- a/detections/endpoint/windows_password_managers_discovery.yml +++ b/detections/endpoint/windows_password_managers_discovery.yml @@ -26,10 +26,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_managers_discovery_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1555/005/ diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index f23e802d93..030b37023c 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime "chrome.exe", "iexplore.exe") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed. references: diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml index fdc253c62a..7fd257f5e6 100644 --- a/detections/endpoint/windows_powershell_remotesigned_file.yml +++ b/detections/endpoint/windows_powershell_remotesigned_file.yml @@ -7,20 +7,26 @@ status: production type: Anomaly data_source: - Sysmon Event ID 1 -description: This analytic identifies the use of "remotesigned" execution policy for a file. - This security setting determines whether PowerShell scripts can be executed on a computer. - When the execution policy is set to "remotesigned," it allows locally created scripts to run without any restrictions, - but scripts downloaded from the internet must have a digital signature from a trusted publisher. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where `process_powershell` Processes.process="* remotesigned *" Processes.process="* -File *" - by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_powershell_remotesigned_file_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +description: This analytic identifies the use of "remotesigned" execution policy for + a file. This security setting determines whether PowerShell scripts can be executed + on a computer. When the execution policy is set to "remotesigned," it allows locally + created scripts to run without any restrictions, but scripts downloaded from the + internet must have a digital signature from a trusted publisher. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="* + remotesigned *" Processes.process="* -File *" by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is possible administrators or scripts may run these commands, filtering may be required. references: @@ -51,13 +57,13 @@ tags: risk_score: 25 required_fields: - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.original_file_name - - Processes.process - - Processes.process_id + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name + - Processes.original_file_name + - Processes.process + - Processes.process_id - Processes.parent_process_id security_domain: endpoint tests: diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml index d8d59a34ad..21100211cf 100644 --- a/detections/endpoint/windows_private_keys_discovery.yml +++ b/detections/endpoint/windows_private_keys_discovery.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_private_keys_discovery_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1552/004/ diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml index 2fe7f60bf4..419b980ad9 100644 --- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml +++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index ac68514dde..d04105e563 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -22,10 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Normal browser application may use this technique. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index 19624e1124..300616103e 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed. references: diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml index 372f2d2a12..30f8c1eee6 100644 --- a/detections/endpoint/windows_proxy_via_netsh.yml +++ b/detections/endpoint/windows_proxy_via_netsh.yml @@ -7,23 +7,27 @@ status: production type: Anomaly data_source: - Sysmon Event ID 1 -description: This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line - scripting utility that allows you to, either locally or remotely, display or modify - the network configuration of a computer that is currently running. Netsh can be - used as a persistence proxy technique to execute a helper DLL when netsh.exe is - executed. In this search, we are looking for processes spawned by netsh.exe and - executing commands via the command line. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest - |`drop_dm_object_name("Processes")` - |`security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` - | `windows_proxy_via_netsh_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +description: This search looks for processes launching netsh.exe for connection proxy. + Netsh is a command-line scripting utility that allows you to, either locally or + remotely, display or modify the network configuration of a computer that is currently + running. Netsh can be used as a persistence proxy technique to execute a helper + DLL when netsh.exe is executed. In this search, we are looking for processes spawned + by netsh.exe and executing commands via the command line. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process + = "* portproxy *" Processes.process = "* v4tov4 *" by Processes.parent_process_name + Processes.parent_process Processes.original_file_name Processes.process_name Processes.process + Processes.user Processes.dest |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. diff --git a/detections/endpoint/windows_query_registry_reg_save.yml b/detections/endpoint/windows_query_registry_reg_save.yml index 9b49ca71d8..934dfe9188 100644 --- a/detections/endpoint/windows_query_registry_reg_save.yml +++ b/detections/endpoint/windows_query_registry_reg_save.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network administrator can use this command tool to backup registry before updates or modifying critical registries. references: diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml index a5e250e2c9..d4bc8816f0 100644 --- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml +++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raccine_scheduled_task_deletion_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, however filter as needed. references: - https://redcanary.com/blog/blackbyte-ransomware/ diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml index ff03af9789..751bba5082 100644 --- a/detections/endpoint/windows_rasautou_dll_execution.yml +++ b/detections/endpoint/windows_rasautou_dll_execution.yml @@ -17,11 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rasautou_dll_execution_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed. references: diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml index 15c7f08022..b156f6c501 100644 --- a/detections/endpoint/windows_registry_payload_injection.yml +++ b/detections/endpoint/windows_registry_payload_injection.yml @@ -5,14 +5,35 @@ date: '2023-06-15' author: Steven Dick status: production type: TTP -description: The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry. +description: The following analytic identifies when suspiciouly long data is written + to the registry. This behavior is often associated with certain fileless malware + threats or persistence techniques used by threat actors. Data stored in the registy + is considered fileless since it does not get written to disk and is traditionally + not well defended since normal users can modify thier own registry. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | eval reg_data_len = len(registry_value_data) - | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`' -how_to_implement: The following analytic requires Sysmon or Windows logging with command line and registry modification logging enabled. Use filter to remove known environment known false positives prior to full production usage. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` + | join max=0 dest process_guid [| tstats `security_content_summariesonly` count + from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h + Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields + firstTime lastTime dest user parent_process_name parent_process process_name process_path + process registry_key_name registry_path registry_value_name registry_value_data + process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown, possible custom scripting. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations @@ -24,7 +45,8 @@ tags: asset_type: Endpoint confidence: 60 impact: 100 - message: The process $process_name$ added a suspicious length of registry data on $dest$. + message: The process $process_name$ added a suspicious length of registry data on + $dest$. mitre_attack_id: - T1027 - T1027.011 @@ -51,24 +73,24 @@ tags: - Splunk Cloud required_fields: - _time - - user - - dest - - process_id - - process_name - - process - - process_path - - parent_process_name - - parent_process + - user + - dest + - process_id + - process_name + - process + - process_path + - parent_process_name + - parent_process - process_guid - - registry_path - - registry_value_name - - registry_value_data + - registry_path + - registry_value_name + - registry_value_data - registry_key_name risk_score: 60 - security_domain: endpoint + security_domain: endpoint tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml index 563327392e..b002fbf510 100644 --- a/detections/endpoint/windows_regsvr32_renamed_binary.yml +++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_regsvr32_renamed_binary_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg diff --git a/detections/endpoint/windows_remote_access_software_hunt.yml b/detections/endpoint/windows_remote_access_software_hunt.yml index 69a39ed87b..4e3bc482d1 100644 --- a/detections/endpoint/windows_remote_access_software_hunt.yml +++ b/detections/endpoint/windows_remote_access_software_hunt.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software. references: diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml index a0c1a597ba..a41c8d5f93 100644 --- a/detections/endpoint/windows_remote_assistance_spawning_process.yml +++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_assistance_spawning_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, filter as needed. Add additional shells as needed. references: diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 895dc5888d..96062c8282 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -7,25 +7,38 @@ status: production type: Anomaly data_source: - Sysmon Event ID 1 -description: This analytic identifies an endpoint that remotely connects to another endpoint to create a new service using sc.exe. On the remote endpoint, the new service will be created and this action will trigger the creation of EventCode 7045 along with all the resulting service information. +description: This analytic identifies an endpoint that remotely connects to another + endpoint to create a new service using sc.exe. On the remote endpoint, the new service + will be created and this action will trigger the creation of EventCode 7045 along + with all the resulting service information. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN ("*create*") Processes.process="*\\\\*" - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name - Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`' -how_to_implement: To implement this search, it is necessary to ingest information on processes that include the name of the process responsible for the changes from your endpoints into the Endpoint data model within the Processes node. Additionally, it is recommended to confirm that the latest version of CIM App (4.20 or higher) and the latest TA for the endpoint product are installed. -known_false_positives: Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities. + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe + Processes.process IN ("*create*") Processes.process="*\\\\*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Note that false positives may occur, and filtering may be necessary, + especially when it comes to remote service creation by administrators or software + management utilities. references: - - https://attack.mitre.org/techniques/T1543/003/ +- https://attack.mitre.org/techniques/T1543/003/ tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint confidence: 50 impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to create a remote service. mitre_attack_id: - T1543 - T1543.003 @@ -54,11 +67,11 @@ tags: - _time - Processes.dest - Processes.user - - Processes.parent_process_name #parent process name - - Processes.parent_process #parent cmdline + - Processes.parent_process_name + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml index 30d744ec8d..eb9c8b7266 100644 --- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml +++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_service_rdpwinst_tool_execution_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This tool was designed for home usage and not commonly seen in production environment. Filter as needed. references: diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml index 6ccf1bc5bc..e1ce428615 100644 --- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml +++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml @@ -23,10 +23,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as = "*action=allow*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records process activity from your hosts to populate the endpoint data model - in the processes node. If you are using Sysmon, you must have at least version 6.0.4 - of the Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: administrators may enable or disable this feature that may cause some false positive. references: diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index 2f0410210c..a3962e215c 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -7,22 +7,32 @@ type: TTP status: production data_source: - Sysmon Event ID 1 -description: The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. This particular behavior was recently showcased in CVE-2023-23397. +description: The following analytic identifies rundll32.exe with the commandline arguments + loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav + instance. This particular behavior was recently showcased in CVE-2023-23397. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*","*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`' -how_to_implement: In addition to getting the correct data, adding a join with network connection will assist with making this higher fidelity. We removed the parent_process_name=svchost.exe to look more broad, this will need to be tuned. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives will be present based on legitimate software, filtering may need to occur. + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe + Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*","*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present based on legitimate software, + filtering may need to occur. references: - - https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html - - https://twitter.com/ACEResponder/status/1636116096506818562?s=20 - - https://twitter.com/domchell/status/1635999068282408962?s=20 - - https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ - - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ +- https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html +- https://twitter.com/ACEResponder/status/1636116096506818562?s=20 +- https://twitter.com/domchell/status/1635999068282408962?s=20 +- https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ +- https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ tags: analytic_story: - CVE-2023-23397 Outlook Elevation of Privilege @@ -31,7 +41,8 @@ tags: - CVE-2023-23397 confidence: 60 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. mitre_attack_id: - T1048.003 observable: @@ -59,11 +70,11 @@ tags: - _time - Processes.dest - Processes.user - - Processes.parent_process_name #parent process name - - Processes.parent_process #parent cmdline + - Processes.parent_process_name + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path @@ -75,4 +86,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml index 4601d07fb6..1f78c19138 100644 --- a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml +++ b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml @@ -6,26 +6,39 @@ author: Michael Haag, Splunk type: TTP status: experimental data_source: [] -description: The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | rename dest as src - | join host process_id - [ - | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 - NOT (All_Traffic.dest_ip IN (10.0.0.0/12, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id - | `drop_dm_object_name(All_Traffic)`] - | `windows_rundll32_webdav_with_network_connection_filter`' -how_to_implement: We removed the parent_process_name=svchost.exe to look more broad, this will need to be tuned. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and the All_Traffic Datamodel. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives will be present based on legitimate software, filtering may need to occur. +description: The following analytic identifies rundll32.exe with the commandline arguments + loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav + instance. The analytic attempts to use join from Processes and All_Traffic to identify + the network connection. This particular behavior was recently showcased in CVE-2023-23397. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe + `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", + "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h Processes.process_id + Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | rename dest as src | join host process_id + [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest + latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port + FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip + IN (10.0.0.0/12, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id + | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present based on legitimate software, + filtering may need to occur. references: - - https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html - - https://twitter.com/ACEResponder/status/1636116096506818562?s=20 - - https://twitter.com/domchell/status/1635999068282408962?s=20 - - https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ - - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ +- https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html +- https://twitter.com/ACEResponder/status/1636116096506818562?s=20 +- https://twitter.com/domchell/status/1635999068282408962?s=20 +- https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ +- https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ tags: analytic_story: - CVE-2023-23397 Outlook Elevation of Privilege @@ -34,7 +47,8 @@ tags: - CVE-2023-23397 confidence: 60 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. mitre_attack_id: - T1048.003 observable: @@ -62,11 +76,11 @@ tags: - _time - Processes.dest - Processes.user - - Processes.parent_process_name #parent process name - - Processes.parent_process #parent cmdline + - Processes.parent_process_name + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path @@ -81,4 +95,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index f9ce792f01..4786163e0c 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -7,21 +7,39 @@ status: production type: TTP data_source: - Sysmon Event ID 1 -description: The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application.\ +description: 'The following analytic detects the creation of suspicious scheduled + tasks in Windows, specifically tasks created using schtasks.exe with the -create + flag and an XML parameter in the command-line. This technique is commonly employed + by threat actors, adversaries, and red teamers to establish persistence or achieve + privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern + have been observed using XML files to create scheduled tasks. Monitoring and investigating + this activity is crucial to mitigate potential security risks. It is important to + be aware that scripts or administrators may trigger this analytic, leading to potential + false positives. To minimize false positives, adjust the filter based on the parent + process or application.\ - When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process="* /xml *" - by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_scheduled_task_created_via_xml_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + When a true positive is detected, it suggests an attacker''s attempt to gain persistence + or execute additional malicious payloads, potentially resulting in data theft, ransomware, + or other damaging outcomes. During triage, review the source of the scheduled task, + the command to be executed, and capture any relevant on-disk artifacts. Analyze + concurrent processes to identify the source of the attack. This analytic enables + analysts to detect and respond to potential threats early, mitigating the associated + risks effectively.' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe + Processes.process=*create* Processes.process="* /xml *" by Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_guid + Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application. references: @@ -36,7 +54,8 @@ tags: dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log impact: 70 - message: A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line. + message: A scheduled task process, $process_name$, with 'create' or 'delete' commands + present in the command line. mitre_attack_id: - T1053.005 - T1053 @@ -72,4 +91,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml index bf72730ea2..878a83cc05 100644 --- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml +++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml @@ -5,19 +5,34 @@ date: '2023-06-13' author: Steven Dick status: production type: TTP -description: The following analytic identifies when the Task Scheduler service "svchost.exe -k netsvcs -p -s Schedule" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates. +description: The following analytic identifies when the Task Scheduler service "svchost.exe + -k netsvcs -p -s Schedule" is the parent process to common command line, scripting, + or shell execution binaries. Attackers often abuse the task scheduler service with + these binaries as an execution and persistence mechanism in order to blend in with + normal Windows operations. This TTP is also commonly seen for legitimate purposes + such as business scripts or application updates. data_source: - Sysmon 1 - Windows Security 4688 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where -Processes.parent_process="*\\system32\\svchost.exe*" AND Processes.parent_process="*-k*" AND Processes.parent_process= "*netsvcs*" AND Processes.parent_process="*-p*" AND Processes.parent_process="*-s*" AND Processes.parent_process="*Schedule*" Processes.process_name -IN("powershell.exe", "wscript.exe", "cscript.exe", "cmd.exe", "sh.exe", "ksh.exe", "zsh.exe", "bash.exe", "scrcons.exe","pwsh.exe") -by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name -| `drop_dm_object_name(Processes)` -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `windows_scheduled_task_service_spawned_shell_filter`' -how_to_implement: The following analytic requires Sysmon or Windows logging with command line logging enabled. Use filter to remove known environment known false positives prior to full production usage. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*\\system32\\svchost.exe*" + AND Processes.parent_process="*-k*" AND Processes.parent_process= "*netsvcs*" AND + Processes.parent_process="*-p*" AND Processes.parent_process="*-s*" AND Processes.parent_process="*Schedule*" + Processes.process_name IN("powershell.exe", "wscript.exe", "cscript.exe", "cmd.exe", + "sh.exe", "ksh.exe", "zsh.exe", "bash.exe", "scrcons.exe","pwsh.exe") by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.parent_process_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_scheduled_task_service_spawned_shell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown, possible custom scripting. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations @@ -29,9 +44,10 @@ tags: asset_type: Endpoint confidence: 25 impact: 80 - message: A windows scheduled task spawned the shell application $process_name$ on $dest$. + message: A windows scheduled task spawned the shell application $process_name$ on + $dest$. mitre_attack_id: - - T1053.005 + - T1053.005 - T1059 observable: - name: dest @@ -52,13 +68,13 @@ tags: - Splunk Cloud required_fields: - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name - Processes.process - Processes.process_id - - Processes.parent_process_id + - Processes.parent_process_id - Processes.parent_process_name risk_score: 20 security_domain: endpoint diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 8d58aebdf3..17e67d5bd4 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -5,9 +5,18 @@ date: '2023-01-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\ +description: 'The following analytic detects the creation of a new task with the highest + execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT + attacks, where the scheduled task is used for persistence and privilege escalation. + AsyncRAT sets up a scheduled task with parameters ''/rl'' and ''highest'', triggering + this technique. It''s a strong indicator of potential malware or adversaries seeking + to establish persistence and escalate privileges through scheduled tasks. This is + crucial for a Security Operations Center (SOC) as it can prevent unauthorized system + access and potential data breaches.\ - The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. + The analytic works by monitoring logs for process name, parent process, and command-line + executions. In the presence of the ''*/rl '' and '' highest *'' commands in a schtasks.exe + process, an alert is triggered.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -16,11 +25,18 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. -known_false_positives: False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may arise from legitimate applications that + create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based + on parent process or modify the query to include world writable paths for restriction. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat tags: diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index b14fc05586..abd1031305 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -5,7 +5,15 @@ date: '2022-02-07' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. +description: The following analytic identifies the creation of a new task to start + and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly + used by adversaries to spawn a process in an elevated state. If a true positive + is found, it suggests an attacker is attempting to persist within the environment + or potentially deliver additional malicious payloads, leading to data theft, ransomware, + or other damaging outcomes. Upon triage, review the scheduled task's source and + the command to be executed. Capture and inspect any relevant on-disk artifacts, + and look for concurrent processes to identify the attack source. This approach helps + analysts detect potential threats earlier and mitigate the risks. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -14,11 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. diff --git a/detections/endpoint/windows_security_account_manager_stopped.yml b/detections/endpoint/windows_security_account_manager_stopped.yml index 90894e4f77..a4ff3fe6d6 100644 --- a/detections/endpoint/windows_security_account_manager_stopped.yml +++ b/detections/endpoint/windows_security_account_manager_stopped.yml @@ -14,10 +14,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime "Processes.process"="*stop \"samss\"*") BY "Processes.dest", "Processes.user", "Processes.process" | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_security_account_manager_stopped_filter`' -how_to_implement: You must be ingesting data that records the process-system activity - from your hosts to populate the Endpoint Processes data-model object. If you are - using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which - you want to collect data. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified. diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index cbca335be8..bcb529bf31 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/ diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml index 3adebab2cd..936478a239 100644 --- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml +++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml @@ -23,11 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_server_software_component_gacutil_install_to_gac_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed. references: diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index 85b9162572..f04ff7959c 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present based on common applications adding new drivers, however, filter as needed. references: diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml index 73c144ee66..02a95e9230 100644 --- a/detections/endpoint/windows_service_create_with_tscon.yml +++ b/detections/endpoint/windows_service_create_with_tscon.yml @@ -7,26 +7,52 @@ type: TTP status: production data_source: - Sysmon Event ID 1 -description: 'The following analytic detects potential RDP Hijacking attempts by monitoring a series of actions taken by an attacker to gain unauthorized access to a remote system. The attacker first runs the quser command to query the remote host for disconnected user sessions. Upon identifying a disconnected session, they use the sc.exe command to create a new Windows service with a binary path that launches tscon.exe. By specifying the disconnected session ID and a destination ID, the attacker can transfer the disconnected session to a new RDP session, effectively hijacking the user''s session. This analytic allows security teams to detect and respond to RDP Hijacking attempts, mitigating potential risks and impacts on targeted systems.' +description: The following analytic detects potential RDP Hijacking attempts by monitoring + a series of actions taken by an attacker to gain unauthorized access to a remote + system. The attacker first runs the quser command to query the remote host for disconnected + user sessions. Upon identifying a disconnected session, they use the sc.exe command + to create a new Windows service with a binary path that launches tscon.exe. By specifying + the disconnected session ID and a destination ID, the attacker can transfer the + disconnected session to a new RDP session, effectively hijacking the user's session. + This analytic allows security teams to detect and respond to RDP Hijacking attempts, + mitigating potential risks and impacts on targeted systems. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe - Processes.process="*/dest:rdp-tcp*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_service_create_with_tscon_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection. + Processes.process="*/dest:rdp-tcp*" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_service_create_with_tscon_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may arise in the RDP Hijacking analytic when + legitimate administrators access remote sessions for maintenance or troubleshooting + purposes. These activities might resemble an attacker''s attempt to hijack a disconnected + session, leading to false alarms. To mitigate the risk of false positives and improve + the overall security posture, organizations can implement Group Policy to automatically + disconnect RDP sessions when they are complete. By enforcing this policy, administrators + ensure that disconnected sessions are promptly terminated, reducing the window of + opportunity for an attacker to hijack a session. Additionally, organizations can + also implement access control mechanisms and monitor the behavior of privileged + accounts to further enhance security and reduce the chances of false positives in + RDP Hijacking detection. references: - - https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md +- https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint confidence: 80 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to hijack a RDP session. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to hijack a RDP session. mitre_attack_id: - T1563.002 - T1563 @@ -57,10 +83,10 @@ tags: - Processes.dest - Processes.user - Processes.parent_process_name - - Processes.parent_process #parent cmdline + - Processes.parent_process - Processes.original_file_name - - Processes.process_name #process name - - Processes.process #process cmdline + - Processes.process_name + - Processes.process - Processes.process_id - Processes.parent_process_path - Processes.process_path @@ -72,4 +98,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index bec7bd3251..cc40d6ec9b 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -18,9 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_creation_on_remote_endpoint_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. references: diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 68754298f7..286e8f3f65 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -17,9 +17,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. references: diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index 20ec8ac144..2fd1d18c95 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: It is possible administrative scripts may start/stop/delete services. Filter as needed. references: diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml index a09c91a2f5..82215818f7 100644 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Windows OS or software may stop and restart services due to some critical update. references: diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml index 1a9b4a275a..e0a037b991 100644 --- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml +++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml @@ -23,11 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: No false positives known. Filter as needed. references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index 3c9689795c..13df0d09fe 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -7,14 +7,42 @@ status: experimental type: TTP data_source: - Sysmon Event ID 1 -description: 'The following analytic detects the use of certutil to download software, a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN connection by downloading an executable file for SoftEther VPN from their network infrastructure using one of several LOLBins, including certutil. The actor then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This behavior allows the actor to monitor the availability of the compromised system and establish an RDP connection. This analytic identifies this behavior by monitoring for the use of certutil in conjunction with the downloading of software. This behavior is worth identifying for a SOC as it indicates a potential compromise of the system and the establishment of a persistent threat. If a true positive is found, it suggests an attacker has gained access to the environment and is attempting to maintain that access, potentially leading to further malicious activities such as data theft or ransomware attacks. Be aware of potential false positives - legitimate uses of certutil in your environment may cause benign activities to be flagged. Upon triage, review the command executed and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.' -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_sql_spawning_certutil_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil. +description: The following analytic detects the use of certutil to download software, + a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN + connection by downloading an executable file for SoftEther VPN from their network + infrastructure using one of several LOLBins, including certutil. The actor then + uses the Service Control Manager (SCM) to create a Windows service that launches + the VPN connection automatically when the system starts. This behavior allows the + actor to monitor the availability of the compromised system and establish an RDP + connection. This analytic identifies this behavior by monitoring for the use of + certutil in conjunction with the downloading of software. This behavior is worth + identifying for a SOC as it indicates a potential compromise of the system and the + establishment of a persistent threat. If a true positive is found, it suggests an + attacker has gained access to the environment and is attempting to maintain that + access, potentially leading to further malicious activities such as data theft or + ransomware attacks. Be aware of potential false positives - legitimate uses of certutil + in your environment may cause benign activities to be flagged. Upon triage, review + the command executed and look for concurrent processes to identify the attack source. + This approach helps analysts detect potential threats earlier and mitigate the risks. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") + `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* + by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.original_file_name + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: The occurrence of false positives should be minimal, given + that the SQL agent does not typically download software using CertUtil. references: - https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ tags: @@ -24,7 +52,8 @@ tags: atomic_guid: [] confidence: 100 impact: 90 - message: '$process_name$ was launched on $dest$ by $user$. This behavior is uncommon with the SQL process identified.' + message: $process_name$ was launched on $dest$ by $user$. This behavior is uncommon + with the SQL process identified. mitre_attack_id: - T1105 observable: @@ -55,4 +84,4 @@ tags: - Processes.process_id - Processes.original_file_name - Processes.parent_process_id - security_domain: endpoint \ No newline at end of file + security_domain: endpoint diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml index 034e7aacf6..852c5dd3ee 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml index a24855c7cc..40986e778d 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml @@ -15,10 +15,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Filtering may be requried based on automated utilities and third party applications that may export certificates. references: diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml index 113ed1d246..d38edaf9af 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml @@ -15,10 +15,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Filtering may be requried based on automated utilities and third party applications that may export certificates. references: diff --git a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml index e26abae44b..d4e58b618b 100644 --- a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml +++ b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 1e653cc3a5..01ceff141d 100644 --- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -18,11 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_binary_proxy_execution_compiled_html_file_decompile_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, filter as needed. references: - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml index 6224404d1d..2da1054015 100644 --- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml +++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml @@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: dministrator may execute this commandline tool for auditing purposes. Filter as needed. references: diff --git a/detections/endpoint/windows_system_discovery_using_qwinsta.yml b/detections/endpoint/windows_system_discovery_using_qwinsta.yml index 5e14a6a407..bd6d2435b8 100644 --- a/detections/endpoint/windows_system_discovery_using_qwinsta.yml +++ b/detections/endpoint/windows_system_discovery_using_qwinsta.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator may execute this commandline tool for auditing purposes. Filter as needed. references: diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index f611623f10..ddd86b2edc 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine. references: diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml index b4b9802852..ceab64ea3a 100644 --- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml +++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml @@ -22,10 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://superuser.com/questions/230308/explain-output-of-ipconfig-displaydns diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index d45d594282..c7a1742acf 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -22,10 +22,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network administrator can use this tool for auditing process. references: - https://attack.mitre.org/techniques/T1049/ diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index f12df962ab..ab2bd4d0e8 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -22,11 +22,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator may execute this commandline to trigger shutdown or restart the host machine. references: diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml index b1a0e12440..aa78761c18 100644 --- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml +++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml @@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise. diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index 32d0824149..8d0dd1d901 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -5,30 +5,38 @@ date: '2023-06-20' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. - The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. - However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, - or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, - to force the system to restart, ensuring that changes take effect or evading detection by security tools. - Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, - can be an important part of identifying malicious behavior within a network. - It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between - legitimate administrative functions and potentially malicious activity. +description: This detection rule is designed to identify the execution of the Windows + shutdown command via command line interface. The shutdown command can be utilized + by system administrators to properly halt, power off, or reboot a computer. However, + in a security context, attackers who have gained unauthorized access to a system + may also use this command in an effort to erase tracks, or to cause disruption and + denial of service. In some instances, they might execute the shutdown command after + installing a backdoor, to force the system to restart, ensuring that changes take + effect or evading detection by security tools. Monitoring for the use of the Windows + shutdown command, especially in conjunction with other unusual or unauthorized activities, + can be an important part of identifying malicious behavior within a network. It + is advised that security professionals analyze the context in which the shutdown + command is being executed to differentiate between legitimate administrative functions + and potentially malicious activity. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) - Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*", "* /r*", "* -r*") AND Processes.process="* /t*" - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_system_shutdown_commandline_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. + Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*", "* /r*", + "* -r*") AND Processes.process="* /t*" by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator may execute this commandline to trigger shutdown or restart the host machine. references: diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml index 23fc453c06..b77925b9c3 100644 --- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml +++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://cert.gov.ua/article/405538 diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml index 8ced0332a9..58e4a1ec28 100644 --- a/detections/endpoint/windows_system_user_discovery_via_quser.yml +++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network administrator can use this command tool to audit RDP access of user in specific network or host. references: diff --git a/detections/endpoint/windows_valid_account_with_never_expires_password.yml b/detections/endpoint/windows_valid_account_with_never_expires_password.yml index 95f90c5b1a..ab08d1197e 100644 --- a/detections/endpoint/windows_valid_account_with_never_expires_password.yml +++ b/detections/endpoint/windows_valid_account_with_never_expires_password.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This behavior is not commonly seen in production environment and not advisable, filter as needed. references: diff --git a/detections/endpoint/windows_winlogon_with_public_network_connection.yml b/detections/endpoint/windows_winlogon_with_public_network_connection.yml index cca97d123c..4a804bf9de 100644 --- a/detections/endpoint/windows_winlogon_with_public_network_connection.yml +++ b/detections/endpoint/windows_winlogon_with_public_network_connection.yml @@ -6,29 +6,51 @@ author: Michael Haag, Splunk status: experimental type: Hunting data_source: - - Sysmon Event ID 1 - - Sysmon Event ID 3 -description: The following analytic is designed to detect anomalous behavior associated with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and further investigated in a blog by Microsoft, which provided hunting queries for security analysts. The primary focus of this analytic is to identify instances of Winlogon.exe, a critical Windows process, connecting to public IP space, which is indicative of potential malicious activity.\ - The BlackLotus Campaign is a bootkit-based attack that compromises system integrity by infecting the Master Boot Record (MBR) and Volume Boot Record (VBR). This malware variant can bypass traditional security measures, load before the operating system, and maintain persistence on the target system.\ +- Sysmon Event ID 1 +- Sysmon Event ID 3 +description: 'The following analytic is designed to detect anomalous behavior associated + with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and + further investigated in a blog by Microsoft, which provided hunting queries for + security analysts. The primary focus of this analytic is to identify instances of + Winlogon.exe, a critical Windows process, connecting to public IP space, which is + indicative of potential malicious activity.\ The BlackLotus Campaign is a bootkit-based + attack that compromises system integrity by infecting the Master Boot Record (MBR) + and Volume Boot Record (VBR). This malware variant can bypass traditional security + measures, load before the operating system, and maintain persistence on the target + system.\ - Winlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. However, if it does, it may indicate that the process has been compromised as part of the BlackLotus Campaign or another malicious operation.\ + Winlogon.exe is a critical Windows process responsible for managing user logon and + logoff processes. Under normal circumstances, Winlogon.exe should not be connecting + to public IP addresses. However, if it does, it may indicate that the process has + been compromised as part of the BlackLotus Campaign or another malicious operation.\ - This analytic monitors network connections made by Winlogon.exe and triggers an alert if it detects connections to public IP space. By identifying such anomalous behavior, security analysts can investigate further and respond swiftly to potential threats. + This analytic monitors network connections made by Winlogon.exe and triggers an + alert if it detects connections to public IP space. By identifying such anomalous + behavior, security analysts can investigate further and respond swiftly to potential + threats.' search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | join process_id [| tstats `security_content_summariesonly` - count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/12,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id - All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] - | table dest parent_process_name process_name process_path process process_id dest_port publicIp - | `windows_winlogon_with_public_network_connection_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and Network_Traffic datamodel under All Traffic. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered. + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id + [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic + where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/12,172.16.0.0/12, + 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port + | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name + process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present and filtering will be required. + Legitimate IPs will be present and need to be filtered. references: - - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ +- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ tags: analytic_story: - BlackLotus Campaign @@ -36,27 +58,28 @@ tags: atomic_guid: [] confidence: 50 impact: 50 - message: Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$. + message: Winlogon.exe has generated a network connection to a remote destination + on endpoint $dest$. mitre_attack_id: - T1542.003 observable: - - name: dest - type: Hostname - role: - - Victim + - name: dest + type: Hostname + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud risk_score: 25 required_fields: - - dest - - parent_process_name - - process_name - - process_path - - process - - process_id - - dest_port + - dest + - parent_process_name + - process_name + - process_path + - process + - process_id + - dest_port - publicIp security_domain: endpoint tests: diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml index 698b45f1d7..04af50a076 100644 --- a/detections/endpoint/windows_wmi_process_and_service_list.yml +++ b/detections/endpoint/windows_wmi_process_and_service_list.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: netowrk administrator or IT may execute this command for auditing processes and services. references: diff --git a/detections/endpoint/windows_wmi_process_call_create.yml b/detections/endpoint/windows_wmi_process_call_create.yml index f229503b03..82943f9833 100644 --- a/detections/endpoint/windows_wmi_process_call_create.yml +++ b/detections/endpoint/windows_wmi_process_call_create.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may execute this command for testing or auditing. references: - https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml index ce87da6fde..b4fbde386f 100644 --- a/detections/endpoint/winhlp32_spawning_a_process.yml +++ b/detections/endpoint/winhlp32_spawning_a_process.yml @@ -23,11 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winhlp32_spawning_a_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed. references: diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml index 4fa8e1957b..b2ee76b313 100644 --- a/detections/endpoint/winrar_spawning_shell_application.yml +++ b/detections/endpoint/winrar_spawning_shell_application.yml @@ -7,15 +7,44 @@ status: production type: TTP data_source: - Sysmon Event ID 1 -description: The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks. +description: The following analytic detects the execution of Windows shell processes + initiated by WinRAR, specifically looking for instances where WinRAR spawns processes + like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". + This behavior is worth identifying for a Security Operations Center (SOC) because + it is indicative of a spoofing attack exploit, such as the one associated with WinRAR + CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives + with spoofed extensions, hiding the launch of malicious scripts within an archive. + When a victim opened the specially crafted archive, it executed the malware, leading + to unauthorized access to their broker accounts and enabling the cybercriminals + to perform illicit financial transactions and withdraw funds. If a true positive + is found, it suggests that an attacker has successfully exploited the vulnerability + to execute malicious scripts, leading to unauthorized access, financial loss, and + potentially the delivery of additional malicious payloads. The impact of the attack + could be severe, involving financial loss, unauthorized access to sensitive accounts, + and the potential for further malicious activity such as data theft or ransomware + attacks. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR - Processes.process_name IN ("certutil.exe","mshta.exe","bitsadmin.exe") - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrar_spawning_shell_application_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe + `windows_shells` OR Processes.process_name IN ("certutil.exe","mshta.exe","bitsadmin.exe") + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `winrar_spawning_shell_application_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Be aware of potential false positives - legitimate uses of + WinRAR and the listed processes in your environment may cause benign activities + to be flagged. Upon triage, review the destination, user, parent process, and process + name involved in the flagged activity. Capture and inspect any relevant on-disk + artifacts, and look for concurrent processes to identify the attack source. This + approach helps analysts detect potential threats earlier and mitigate the risks. references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc @@ -29,7 +58,8 @@ tags: atomic_guid: [] confidence: 70 impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to decode a file. mitre_attack_id: - T1105 observable: diff --git a/detections/endpoint/winrm_spawning_a_process.yml b/detections/endpoint/winrm_spawning_a_process.yml index 83180de2a0..9c107644a6 100644 --- a/detections/endpoint/winrm_spawning_a_process.yml +++ b/detections/endpoint/winrm_spawning_a_process.yml @@ -19,9 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`. references: diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/endpoint/winword_spawning_cmd.yml index afa1488d13..d86d2e5eaa 100644 --- a/detections/endpoint/winword_spawning_cmd.yml +++ b/detections/endpoint/winword_spawning_cmd.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_cmd_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, but if any are present, filter as needed. references: diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/endpoint/winword_spawning_powershell.yml index b708884f96..ee69b124be 100644 --- a/detections/endpoint/winword_spawning_powershell.yml +++ b/detections/endpoint/winword_spawning_powershell.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `winword_spawning_powershell_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited, but if any are present, filter as needed. references: diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/endpoint/winword_spawning_windows_script_host.yml index 58d47e6ec2..c4e3b1d2a6 100644 --- a/detections/endpoint/winword_spawning_windows_script_host.yml +++ b/detections/endpoint/winword_spawning_windows_script_host.yml @@ -23,9 +23,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_windows_script_host_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed. references: diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml index 382a085af7..9a8eb6dee3 100644 --- a/detections/endpoint/wmic_group_discovery.yml +++ b/detections/endpoint/wmic_group_discovery.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/001/ diff --git a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml index 515411d34f..2e9c02b4c1 100644 --- a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml +++ b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml @@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Third party application may use this approach to uninstall applications. references: diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml index 0d50bd6b59..c4823825c5 100644 --- a/detections/endpoint/wmic_xsl_execution_via_url.yml +++ b/detections/endpoint/wmic_xsl_execution_via_url.yml @@ -21,11 +21,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.original_file_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_xsl_execution_via_url_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed. references: diff --git a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml index f747eddacb..30d0533a7c 100644 --- a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml @@ -30,9 +30,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate applications may trigger this behavior, filter as needed. references: diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index dab7c518b8..9932f627e1 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -20,10 +20,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wscript_or_cscript_suspicious_child_process_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed. references: diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml index f5b713f2d9..79694fc58a 100644 --- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml @@ -30,9 +30,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Legitimate applications may trigger this behavior, filter as needed. references: diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml index 59ddca5c93..c159571148 100644 --- a/detections/endpoint/wsreset_uac_bypass.yml +++ b/detections/endpoint/wsreset_uac_bypass.yml @@ -24,10 +24,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical - Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://github.com/hfiref0x/UACME diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml index 3eb5c6e57b..1fffdcc7c3 100644 --- a/detections/endpoint/xsl_script_execution_with_wmic.yml +++ b/detections/endpoint/xsl_script_execution_with_wmic.yml @@ -18,10 +18,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation From 47ec8dbbddab81ccdc7694720024b9d76a85e329 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 15 Sep 2023 13:46:33 -0700 Subject: [PATCH 45/47] fixes --- detections/endpoint/detect_html_help_url_in_command_line.yml | 2 +- detections/endpoint/living_off_the_land.yml | 4 ++-- .../endpoint/services_lolbas_execution_process_spawn.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index c6a5efecb7..4c48fead88 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -20,7 +20,7 @@ data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* - by Processes.dest Processes.user Processes.parent_process Processes.original_file_name + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`' diff --git a/detections/endpoint/living_off_the_land.yml b/detections/endpoint/living_off_the_land.yml index 8a69f0ffd0..cc2429ec7b 100644 --- a/detections/endpoint/living_off_the_land.yml +++ b/detections/endpoint/living_off_the_land.yml @@ -39,14 +39,14 @@ tags: asset_type: Endpoint confidence: 70 impact: 90 - message: An increase of Living Off The Land behavior has been detected on $affected_systems$ + message: An increase of Living Off The Land behavior has been detected on $risk_object$ mitre_attack_id: - T1105 - T1190 - T1059 - T1133 observable: - - name: affected_systems + - name: risk_object type: Hostname role: - Victim diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml index 54f6922d45..9b00bc6219 100644 --- a/detections/endpoint/services_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml @@ -47,7 +47,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: Services.exe spawned a LOLBAS process on $dest + message: Services.exe spawned a LOLBAS process on $dest$ mitre_attack_id: - T1543 - T1543.003 From eae9147b3d8cf77412dea63e4f80287648f74e28 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 20 Sep 2023 09:40:12 -0700 Subject: [PATCH 46/47] remove dynamic risk score --- .../endpoint/windows_ad_privileged_object_access_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index 0bebe89a2b..632456d589 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -33,9 +33,9 @@ search: '`wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Organization Management,*") | rex field=ObjectName "CN\=(?[^,]+)" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName +| rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` -| eval user = SubjectUserName, risk_score = case(object_count=1,40,object_count>1,object_count*30,true(),40) | `windows_ad_privileged_object_access_activity_filter`' how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. known_false_positives: Service accounts or applications that routinely query Active Directory for information. From e5bd4447d228f4c62b2e2924c9e042ad9dcc27f3 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 20 Sep 2023 09:42:49 -0700 Subject: [PATCH 47/47] update score --- .../endpoint/windows_ad_privileged_object_access_activity.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index 632456d589..c769b04122 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -48,7 +48,7 @@ tags: - Active Directory Discovery asset_type: Endpoint confidence: 50 - impact: 50 + impact: 80 message: The account $user$ accessed $object_count$ privileged AD object(s). mitre_attack_id: - T1087 @@ -73,7 +73,7 @@ tags: - EventCode - Computer - SubjectUserName - risk_score: 25 + risk_score: 40 security_domain: endpoint tests: - name: True Positive Test