Dlux update

[dluxtron]

PR Summary

There are 24 new detections, updates to 12 detections, and 5 new lookup files included in this PR.
Also included a whole stack of AD centric detections focusing on group policy & ACLs of AD objects. Potentially worth putting together as its own analytic story? Or just included as part of the sneak AD story (current state).

Breakdown of each of the new/modified files below

6 New Detections - misc: Utilising the CIM Datamodel

detections/application/authentication_dm_distributed_password_spray.yml
detections/application/authentication_dm_password_spray.yml
detections/endpoint/windows_network_share_discovery_with_net.yml
detections/network/internal_horizontal_port_scan.yml
detections/network/internal_vertical_port_scan.yml
detections/network/internal_vulnerability_scan.yml

3 New Detections: Misc

detections/application/windows_increase_in_group_or_object_modification_activity.yml
detections/application/windows_increase_in_user_modification_activity.yml
detections/endpoint/windows_vulnerable_driver_installed.yml

5 Updates to existing detections: Fixes

detections/endpoint/windows_ad_adminsdholder_acl_modified.yml
detections/endpoint/windows_ad_domain_replication_acl_addition.yml
detections/cloud/azure_ad_service_principal_new_client_credentials.yml
detections/cloud/azure_ad_privileged_role_assigned.yml
detections/cloud/azure_ad_global_administrator_role_assigned.yml

4 Updates Misc: (additional references, enhancements etc)

detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml
detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml
detections/endpoint/windows_admon_default_group_policy_object_modified.yml
detections/endpoint/windows_admon_group_policy_object_created.yml

2 Updates to existing detections: Adding support for XMLWinevevntLog

detections/endpoint/detect_new_local_admin_account.yml
detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml

15 New Detections: AD Related

detections/application/windows_ad_add_self_to_group.yml
detections/application/windows_ad_dangerous_deny_acl_modification.yml
detections/application/windows_ad_dangerous_group_acl_modification.yml
detections/application/windows_ad_dangerous_user_acl_modification.yml
detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
detections/application/windows_ad_domain_root_acl_deletion.yml
detections/application/windows_ad_domain_root_acl_modification.yml
detections/application/windows_ad_gpo_deleted.yml
detections/application/windows_ad_gpo_disabled.yml
detections/application/windows_ad_gpo_new_cse_addition.yml
detections/application/windows_ad_hidden_ou_creation.yml
detections/application/windows_ad_object_owner_updated.yml
detections/application/windows_ad_privileged_group_modification.yml
detections/application/windows_ad_self_dacl_assignment.yml
detections/application/windows_ad_suspicious_attribute_modification.yml

5 New Lookups to support the SACL/Ace detections

dist/DA-ESS-ContentUpdate/default/transforms.conf
lookups/ace_access_rights_lookup.csv
lookups/ace_access_rights_lookup.yml
lookups/ace_flag_lookup.csv
lookups/ace_flag_lookup.yml
lookups/ace_type_lookup.csv
lookups/ace_type_lookup.yml
lookups/builtin_groups_lookup.csv
lookups/builtin_groups_lookup.yml
lookups/msad_guid_lookup.csv
lookups/msad_guid_lookup.yml

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.

[patel-bhavin]

@dluxtron : Hey buddy! Can we fix up the conflicts in this PR?

[patel-bhavin]

You can ignore the changes in dist/ since those files are generated automatically so you can remove those changes from dist/

[dluxtron]

Hey Bhavin, I've reviewed the conflicts, resolved a couple of the redundant ones.

These two which are left, keen to keep the version in this PR if possible.

[dluxtron]

Adding some updates on Azure detections post BOTS.

Update 1

Problem: List of privileged groups needs to be updated
Fix: Updated list here
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
Detections:
https://research.splunk.com/cloud/a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a/

Update 2
Problem: Source User / Initiated By logic doesn't work when a service principal adds a member to a group
Fix: Use src_user instead of initiated by instead
| eval initiatedBy = coalesce('initiatedBy.user.userPrincipalName',src_user)

Detections:
https://research.splunk.com/cloud/825fed20-309d-4fd1-8aaf-cd49c1bb093c/
https://research.splunk.com/cloud/a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a/

Update 3

Problem: Target user doesn't pick up when SPNs are added
Fix:
| eval user = coalesce(user,mvfilter('targetResources{}.displayName'!="null"))
Detections:
https://research.splunk.com/cloud/825fed20-309d-4fd1-8aaf-cd49c1bb093c/
https://research.splunk.com/cloud/a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a/

Update 4

Problem: When an SPN is used to add a new Client Secret, this isn't being picked up by the detection
Fix: Add coalesce for the identity and user field | eval user=coalesce(user,identity)
https://research.splunk.com/cloud/e3adc0d3-9e4b-4b5d-b662-12cec1adff2a/

Update 5

Problem: For some reason the IP address wasn't logged for this event during BOTS capture, this meant events weren't picked up by the alert, which was aggregating by the src_ip field
Fix: move src_ip to values portion of stats command values(src_ip) as src_ip
https://research.splunk.com/cloud/e3adc0d3-9e4b-4b5d-b662-12cec1adff2a/

Update 6

Problem: New Values also includes the previous key details & also creating a key without a name (possibly via powershell) causes the field extraction to break.
Fix: Add some SPL magic to remove the previous key details
https://research.splunk.com/cloud/e3adc0d3-9e4b-4b5d-b662-12cec1adff2a/