splunk · patel-bhavin · Jul 30, 2024 · Jul 30, 2024 · Jul 30, 2024
@@ -1,9 +1,12 @@
-name: Windows Security ESX Admins Group Event
+name: Windows ESX Admins Group Creation Security Event
 id: 53b4c927-5ec4-47cd-8aed-d4b303304f87
 version: 1
 date: '2024-07-30'
 author: Michael Haag, Splunk
-data_source: []
+data_source:
+- Windows Event Log Security 4727
+- Windows Event Log Security 4730
+- Windows Event Log Security 4737
 type: TTP
 status: production
 description: This analytic detects creation, deletion, or modification of the "ESX Admins" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085).
@@ -18,7 +21,7 @@ search: ' `wineventlog_security` EventCode IN (4727, 4730, 4737)
     )
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  | `windows_security_esx_admins_group_event_filter`'
+  | `windows_esx_admins_group_creation_security_event_filter`'
 how_to_implement: To successfully implement this search, ensure that Windows Security Event logging is enabled and being ingested into Splunk, particularly for event codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific events.
 known_false_positives: Legitimate administrators might create, delete, or modify an "ESX Admins" group for valid reasons. Verify that the group changes are authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities.
 references:

@@ -1,13 +1,13 @@
-name: Windows Net Creating of ESX Admins Group
+name: Windows ESX Admins Group Creation via Net
 id: 3d7df60b-3332-4667-8090-afe03e08dce0
 version: 1
 date: '2024-07-30'
 author: Michael Haag, Splunk
 data_source:
-- Sysmon EventID  1
+- Sysmon EventID 1
 type: TTP
 status: production
-description: This analytic detects attempts to create an "ESX Admins" group using the Windows net.exe or net1.exe commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the 'ESX Admins' group after its deletion from Active Directory.
+description: This analytic detects attempts to create an "ESX Admins" group using the Windows net.exe or net1.exe commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the "ESX Admins" group after its deletion from Active Directory.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) 
     as lastTime from datamodel=Endpoint.Processes where 
     (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") 
@@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  | `windows_net_creating_of_esx_admins_group_filter`'
+  | `windows_esx_admins_group_creation_via_net_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
 known_false_positives: Legitimate administrators might create an "ESX Admins" group for valid reasons. Verify that the group creation is authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities.
 references:

@@ -1,10 +1,10 @@
-name: Windows PowerShell Create ESX Admins Group
+name: Windows ESX Admins Group Creation via PowerShell
 id: f48a5557-be06-4b96-b8e8-be563e387620
 version: 1
 date: '2024-07-30'
 author: Michael Haag, Splunk
 data_source:
-- Powershell 4104
+- Powershell Script Block Logging 4104
 type: TTP
 status: production
 description: This analytic detects attempts to create an "ESX Admins" group using PowerShell commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the 'ESX Admins' group after its deletion from Active Directory.
@@ -16,7 +16,7 @@ search: '`powershell` EventCode=4104
   | rename UserID as user 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
-  | `windows_powershell_create_esx_admins_group_filter`'
+  | `windows_esx_admins_group_creation_via_powershell_filter`'
 how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. You can find additional setup instructions in the Splunk documentation for configuring PowerShell logging.
 known_false_positives: Legitimate administrators might create an "ESX Admins" group for valid reasons. Verify that the group creation is authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities.
 references:

@@ -7,7 +7,7 @@ status: production
 type: TTP
 description: The following analytic detects when DLLs with known abuse history are loaded from an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system. This detection relies on Sysmon EID7 and is compatible with all Officla Sysmon TA versions.
 data_source:
-- Sysmon 7
+- Sysmon EventID 7
 search: '`sysmon` ImageLoaded EventCode=7 NOT ImageLoaded IN ("*\\Program Files*","*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*") 
 | stats latest(ProcessGuid) as process_guid, count, min(_time) as firstTime, max(_time) as lastTime by User, Computer, Image, ImageLoaded
 | rename User as user, Computer as dest, Image as process, ImageLoaded as loaded_file

@@ -7,8 +7,8 @@ status: production
 type: TTP
 description: The following analytic identifies a LOLBAS process being executed outside of it's expected location. Processes being executed outside of expected locations may be an indicator that an adversary is attempting to evade defenses or execute malicious code. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code.
 data_source: 
-- Sysmon EID 1
-- Windows Security EID 4688
+- Sysmon EventID 1
+- Windows Event Log Security 4688
 search: '|  tstats `security_content_summariesonly` latest(Processes.parent_process) as parent_process, latest(Processes.process) as process, latest(Processes.process_guid) as process_guid count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process != "unknown" AND NOT Processes.process_path IN ("*\\Program Files*","*\\PROGRA~*","*\\Windows\\System32\\*","*\\Windows\\Syswow64\\*") BY Processes.user Processes.dest Processes.parent_process_name Processes.process_name Processes.process_path 
 |`drop_dm_object_name(Processes)`
 | lookup lolbas_file_path lolbas_file_name as process_name OUTPUT description as desc

@@ -7,7 +7,7 @@ data_source:
 - Sysmon EventID 13
 type: Anomaly
 status: production
-description: The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook's web-based components. The analytic focusing on changes to the "URL" value within Outlook's WebView and Today registry paths. This activity is significant as it may represent an attacker's effort to redirect Outlook's web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user's email client and potentially sensitive information.
+description: The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook's web-based components. The analytic focuses on changes to the "URL" value within Outlook's WebView and Today registry paths. This activity is significant as it may represent an attacker's effort to redirect Outlook's web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user's email client and potentially sensitive information.
 search: '| tstats `security_content_summariesonly` count values(Registry.registry_value_name) as registry_value_name values(Registry.registry_value_data) as registry_value_data min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where 
   (Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\*" OR 
   Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\Today") AND