From 5ac47ddd856c1c9a2e8887018d652e35373d671d Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 30 Jul 2024 14:19:23 -0700 Subject: [PATCH 1/2] fix some names and data sources to be more compliant --- ...windows_esx_admins_group_creation_security_event.yml} | 9 ++++++--- ...yml => windows_esx_admins_group_creation_via_net.yml} | 8 ++++---- ...windows_esx_admins_group_creation_via_powershell.yml} | 6 +++--- .../windows_known_abused_dll_loaded_suspiciously.yml | 2 +- .../windows_lolbas_executed_outside_expected_path.yml | 4 ++-- .../windows_outlook_webview_registry_modification.yml | 2 +- 6 files changed, 17 insertions(+), 14 deletions(-) rename detections/endpoint/{windows_security_esx_admins_group_event.yml => windows_esx_admins_group_creation_security_event.yml} (92%) rename detections/endpoint/{windows_net_creating_of_esx_admins_group.yml => windows_esx_admins_group_creation_via_net.yml} (94%) rename detections/endpoint/{windows_powershell_create_esx_admins_group.yml => windows_esx_admins_group_creation_via_powershell.yml} (94%) diff --git a/detections/endpoint/windows_security_esx_admins_group_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml similarity index 92% rename from detections/endpoint/windows_security_esx_admins_group_event.yml rename to detections/endpoint/windows_esx_admins_group_creation_security_event.yml index 7ff1e36b3f..38d8bd496d 100644 --- a/detections/endpoint/windows_security_esx_admins_group_event.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml @@ -1,9 +1,12 @@ -name: Windows Security ESX Admins Group Event +name: Windows ESX Admins Group Creation Security Event id: 53b4c927-5ec4-47cd-8aed-d4b303304f87 version: 1 date: '2024-07-30' author: Michael Haag, Splunk -data_source: [] +data_source: +- Windows Event Log Security 4727 +- Windows Event Log Security 4730 +- Windows Event Log Security 4737 type: TTP status: production description: This analytic detects creation, deletion, or modification of the "ESX Admins" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). @@ -18,7 +21,7 @@ search: ' `wineventlog_security` EventCode IN (4727, 4730, 4737) ) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_security_esx_admins_group_event_filter`' + | `windows_esx_admins_group_creation_security_event_filter`' how_to_implement: To successfully implement this search, ensure that Windows Security Event logging is enabled and being ingested into Splunk, particularly for event codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific events. known_false_positives: Legitimate administrators might create, delete, or modify an "ESX Admins" group for valid reasons. Verify that the group changes are authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. references: diff --git a/detections/endpoint/windows_net_creating_of_esx_admins_group.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml similarity index 94% rename from detections/endpoint/windows_net_creating_of_esx_admins_group.yml rename to detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 9d8d7d205e..17a42c082d 100644 --- a/detections/endpoint/windows_net_creating_of_esx_admins_group.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -1,13 +1,13 @@ -name: Windows Net Creating of ESX Admins Group +name: Windows ESX Admins Group Creation via Net id: 3d7df60b-3332-4667-8090-afe03e08dce0 version: 1 date: '2024-07-30' author: Michael Haag, Splunk data_source: -- Sysmon EventID 1 +- Sysmon EventID 1 type: TTP status: production -description: This analytic detects attempts to create an "ESX Admins" group using the Windows net.exe or net1.exe commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the 'ESX Admins' group after its deletion from Active Directory. +description: This analytic detects attempts to create an "ESX Admins" group using the Windows net.exe or net1.exe commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the "ESX Admins" group after its deletion from Active Directory. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_net_creating_of_esx_admins_group_filter`' + | `windows_esx_admins_group_creation_via_net_filter`' how_to_implement: To successfully implement this search, you need to be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: Legitimate administrators might create an "ESX Admins" group for valid reasons. Verify that the group creation is authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. references: diff --git a/detections/endpoint/windows_powershell_create_esx_admins_group.yml b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml similarity index 94% rename from detections/endpoint/windows_powershell_create_esx_admins_group.yml rename to detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml index 2163bc3826..04869a9d40 100644 --- a/detections/endpoint/windows_powershell_create_esx_admins_group.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml @@ -1,10 +1,10 @@ -name: Windows PowerShell Create ESX Admins Group +name: Windows ESX Admins Group Creation via PowerShell id: f48a5557-be06-4b96-b8e8-be563e387620 version: 1 date: '2024-07-30' author: Michael Haag, Splunk data_source: -- Powershell 4104 +- Powershell Script Block Logging 4104 type: TTP status: production description: This analytic detects attempts to create an "ESX Admins" group using PowerShell commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the 'ESX Admins' group after its deletion from Active Directory. @@ -16,7 +16,7 @@ search: '`powershell` EventCode=4104 | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_powershell_create_esx_admins_group_filter`' + | `windows_esx_admins_group_creation_via_powershell_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. You can find additional setup instructions in the Splunk documentation for configuring PowerShell logging. known_false_positives: Legitimate administrators might create an "ESX Admins" group for valid reasons. Verify that the group creation is authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. references: diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml index 964d91c8a2..b7c0d61ace 100644 --- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml +++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects when DLLs with known abuse history are loaded from an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system. This detection relies on Sysmon EID7 and is compatible with all Officla Sysmon TA versions. data_source: -- Sysmon 7 +- Sysmon EventID 7 search: '`sysmon` ImageLoaded EventCode=7 NOT ImageLoaded IN ("*\\Program Files*","*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*") | stats latest(ProcessGuid) as process_guid, count, min(_time) as firstTime, max(_time) as lastTime by User, Computer, Image, ImageLoaded | rename User as user, Computer as dest, Image as process, ImageLoaded as loaded_file diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml index 2fbc729935..2702505025 100644 --- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml +++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml @@ -7,8 +7,8 @@ status: production type: TTP description: The following analytic identifies a LOLBAS process being executed outside of it's expected location. Processes being executed outside of expected locations may be an indicator that an adversary is attempting to evade defenses or execute malicious code. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. data_source: -- Sysmon EID 1 -- Windows Security EID 4688 +- Sysmon EventID 1 +- Windows Event Log Security 4688 search: '| tstats `security_content_summariesonly` latest(Processes.parent_process) as parent_process, latest(Processes.process) as process, latest(Processes.process_guid) as process_guid count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process != "unknown" AND NOT Processes.process_path IN ("*\\Program Files*","*\\PROGRA~*","*\\Windows\\System32\\*","*\\Windows\\Syswow64\\*") BY Processes.user Processes.dest Processes.parent_process_name Processes.process_name Processes.process_path |`drop_dm_object_name(Processes)` | lookup lolbas_file_path lolbas_file_name as process_name OUTPUT description as desc diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml index bec687396e..c60975a5c7 100644 --- a/detections/endpoint/windows_outlook_webview_registry_modification.yml +++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml @@ -7,7 +7,7 @@ data_source: - Sysmon EventID 13 type: Anomaly status: production -description: The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook's web-based components. The analytic focusing on changes to the "URL" value within Outlook's WebView and Today registry paths. This activity is significant as it may represent an attacker's effort to redirect Outlook's web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user's email client and potentially sensitive information. +description: The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook's web-based components. The analytic focuses on changes to the "URL" value within Outlook's WebView and Today registry paths. This activity is significant as it may represent an attacker's effort to redirect Outlook's web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user's email client and potentially sensitive information. search: '| tstats `security_content_summariesonly` count values(Registry.registry_value_name) as registry_value_name values(Registry.registry_value_data) as registry_value_data min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\*" OR Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\Today") AND From db0707458c7d2ce92f4224657cea642b4058c4f0 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 30 Jul 2024 14:26:23 -0700 Subject: [PATCH 2/2] extra space --- .../windows_esx_admins_group_creation_security_event.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml index 38d8bd496d..631c86f244 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml @@ -1,4 +1,4 @@ -name: Windows ESX Admins Group Creation Security Event +name: Windows ESX Admins Group Creation Security Event id: 53b4c927-5ec4-47cd-8aed-d4b303304f87 version: 1 date: '2024-07-30'